STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.

DISA Rule

SV-222491r508029_rule

Vulnerability Number

V-222491

Group Title

SRG-APP-000365

Rule Version

APSC-DV-001170

Severity

CAT II

CCI(s)

• CCI-001877 - The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.

Weight

10

Fix Recommendation

Configure the application to provide an audit reduction capability that supports forensic investigations.

Check Contents

Review application documentation and interview application administrator for details regarding audit reduction (log record event filtering).

Access the application with user rights sufficient to read and filter audit records.

Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering).

If the application uses a centralized logging solution that performs the audit reduction (event filtering) functions, the requirement is not applicable.

Examine the log files; take note of dates and times of events such as logon events.

Note: dates and times as well as the original content and any unique record identifiers.

Record the identifying information as well as the dates and times and content of the audit records.

Apply filters to reduce the amount of audit records displayed to just the logon events for the day.

Review the records and ensure the application provides the ability to filter on audit events.

If the application does not provide an audit reduction (event filtering) capability, this is a finding.

Vulnerability Number

V-222491

Documentable

False

Rule Version

APSC-DV-001170

Severity Override Guidance

Review application documentation and interview application administrator for details regarding audit reduction (log record event filtering).

Access the application with user rights sufficient to read and filter audit records.

Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering).

If the application uses a centralized logging solution that performs the audit reduction (event filtering) functions, the requirement is not applicable.

Examine the log files; take note of dates and times of events such as logon events.

Note: dates and times as well as the original content and any unique record identifiers.

Record the identifying information as well as the dates and times and content of the audit records.

Apply filters to reduce the amount of audit records displayed to just the logon events for the day.

Review the records and ensure the application provides the ability to filter on audit events.

If the application does not provide an audit reduction (event filtering) capability, this is a finding.

Check Content Reference

M

Target Key

4093

Comments