STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must shut down by default upon audit failure (unless availability is an overriding concern).

DISA Rule

SV-222486r508029_rule

Vulnerability Number

V-222486

Group Title

SRG-APP-000109

Rule Version

APSC-DV-001120

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

Configure the application to cease processing if the audit system fails or configure the application to continue logging in a manner that compensates for the audit failure.

Check Contents

Review system documentation and interview application administrator for details regarding logging configuration.

Identify application shut down capability regarding audit processing failure events. Locate and verify application logging settings that specify the application will halt processing on detected audit failure.

If ISSO approval to continue operating and not shut down the application upon an audit failure exists and is documented, validate the application is configured as follows:

If logging locally and the failure is attributed to a lack of disk space:

Ensure the application is configured to overwrite the oldest logs first so as to maintain the most up to date audit events in the event of an audit failure.

When logging centrally:

Ensure the application is configured to locally spool/queue audit events in the event an audit failure is detected with the centralized system.

If the application does not shut down processing when an audit failure is detected, or if the application does not take steps needed to ensure audit events are not lost due to audit failure, this is a finding.

Vulnerability Number

V-222486

Documentable

False

Rule Version

APSC-DV-001120

Severity Override Guidance

Review system documentation and interview application administrator for details regarding logging configuration.

Identify application shut down capability regarding audit processing failure events. Locate and verify application logging settings that specify the application will halt processing on detected audit failure.

If ISSO approval to continue operating and not shut down the application upon an audit failure exists and is documented, validate the application is configured as follows:

If logging locally and the failure is attributed to a lack of disk space:

Ensure the application is configured to overwrite the oldest logs first so as to maintain the most up to date audit events in the event of an audit failure.

When logging centrally:

Ensure the application is configured to locally spool/queue audit events in the event an audit failure is detected with the centralized system.

If the application does not shut down processing when an audit failure is detected, or if the application does not take steps needed to ensure audit events are not lost due to audit failure, this is a finding.

Check Content Reference

M

Target Key

4093

Comments