STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must log user actions involving changes to data.

DISA Rule

SV-222472r508029_rule

Vulnerability Number

V-222472

Group Title

SRG-APP-000095

Rule Version

APSC-DV-000970

Severity

CAT II

CCI(s)

• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.

Weight

10

Fix Recommendation

Configure the application to log all changes to application data.

Check Contents

Review and monitor the application logs. When modifying data, the logs are most likely database logs.

If the application design documents include specific data elements that require protection, ensure any changes to those specific data elements are logged. Otherwise, a random check is sufficient.

If the application uses a database configured to use Transaction SQL logging this is not a finding if the application admin can demonstrate a process for reviewing the transaction log for data changes. The process must include using the transaction log and some form of query capability to identify users and the data they changed within the application and vice versa.

Utilize the application as a regular user and operate the application so as to modify a data element contained within the application.

Observe and determine if the application log includes an entry to indicate the users data change event was recorded.

If successful changes/modifications to application data elements are not recorded in the logs, this is a finding.

Vulnerability Number

V-222472

Documentable

False

Rule Version

APSC-DV-000970

Severity Override Guidance

Review and monitor the application logs. When modifying data, the logs are most likely database logs.

If the application design documents include specific data elements that require protection, ensure any changes to those specific data elements are logged. Otherwise, a random check is sufficient.

If the application uses a database configured to use Transaction SQL logging this is not a finding if the application admin can demonstrate a process for reviewing the transaction log for data changes. The process must include using the transaction log and some form of query capability to identify users and the data they changed within the application and vice versa.

Utilize the application as a regular user and operate the application so as to modify a data element contained within the application.

Observe and determine if the application log includes an entry to indicate the users data change event was recorded.

If successful changes/modifications to application data elements are not recorded in the logs, this is a finding.

Check Content Reference

M

Target Key

4093

Comments