STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide audit record generation capability for the renewal of session IDs.

DISA Rule

SV-222443r508029_rule

Vulnerability Number

V-222443

Group Title

SRG-APP-000089

Rule Version

APSC-DV-000640

Severity

CAT II

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application.

Check Contents

Interview the system admin and review the application documentation.

Identify any web pages or application functionality where a user's privileges or permissions will change. This is most likely to occur during the authentication stages.

Evaluate the log/audit output by opening the log files and observing changes to the logs.

Create a new user session by accessing the application.

Review the logs and save the relevant session creation event recorded.

Utilize the application pages that provide privilege escalation.

Escalate privileges by authenticating as a privileged user.

Review the logs and determine if new session information is created and being used.

If a web-based application delegates session ID renewals to an application server, this is not a finding.

If the application is not configured to log session ID renewal events this is a finding.

Vulnerability Number

V-222443

Documentable

False

Rule Version

APSC-DV-000640

Severity Override Guidance

Interview the system admin and review the application documentation.

Identify any web pages or application functionality where a user's privileges or permissions will change. This is most likely to occur during the authentication stages.

Evaluate the log/audit output by opening the log files and observing changes to the logs.

Create a new user session by accessing the application.

Review the logs and save the relevant session creation event recorded.

Utilize the application pages that provide privilege escalation.

Escalate privileges by authenticating as a privileged user.

Review the logs and determine if new session information is created and being used.

If a web-based application delegates session ID renewals to an application server, this is not a finding.

If the application is not configured to log session ID renewal events this is a finding.

Check Content Reference

M

Target Key

4093

Comments