STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.

DISA Rule

SV-222474r508029_rule

Vulnerability Number

V-222474

Group Title

SRG-APP-000097

Rule Version

APSC-DV-000990

Severity

CAT II

CCI(s)

• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.

Weight

10

Fix Recommendation

Configure the application to log which component, feature or functionality of the application triggered the event.

Check Contents

Review application administration and/or design documents.

Identify key aspects of application architecture objects and components, e.g., Web Server, Application server, Database server.

Interview the application administrator and identify the log locations.

Access the application logs and review the log entries for events that indicate the application is auditing the internal components, objects, or functions of the application.

Confirm the event logs provide information as to which component, feature, or functionality of the application triggered the event.

Examples of the types of events to look for are as follows:

- Application and Protocol events. e.g., Application loads or unloads and Protocol use.
- Data Access events. e.g., Database connections.

Events could include reference to database library or executable initiating connectivity:

- Middleware events. e.g., Source code initiating calls or being invoked.
- Name of application modules being loaded or unloaded.
- Library loads and unloads.
- Application deployment activity.

Events written into the log must be able to be traced back to the originating component, feature or function name, service name, application name, library name etcetera in order to establish which aspect of the application triggered the event.

If the audit logs do not contain enough data in the logs to establish which component, feature or functionality of the application triggered the event, this is a finding.

Vulnerability Number

V-222474

Documentable

False

Rule Version

APSC-DV-000990

Severity Override Guidance

Review application administration and/or design documents.

Identify key aspects of application architecture objects and components, e.g., Web Server, Application server, Database server.

Interview the application administrator and identify the log locations.

Access the application logs and review the log entries for events that indicate the application is auditing the internal components, objects, or functions of the application.

Confirm the event logs provide information as to which component, feature, or functionality of the application triggered the event.

Examples of the types of events to look for are as follows:

- Application and Protocol events. e.g., Application loads or unloads and Protocol use.
- Data Access events. e.g., Database connections.

Events could include reference to database library or executable initiating connectivity:

- Middleware events. e.g., Source code initiating calls or being invoked.
- Name of application modules being loaded or unloaded.
- Library loads and unloads.
- Application deployment activity.

Events written into the log must be able to be traced back to the originating component, feature or function name, service name, application name, library name etcetera in order to establish which aspect of the application triggered the event.

If the audit logs do not contain enough data in the logs to establish which component, feature or functionality of the application triggered the event, this is a finding.

Check Content Reference

M

Target Key

4093

Comments