Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6138 | APP3680 | SV-6138r1_rule | ECAR-1 ECAR-2 ECAR-3 | Medium |
Description |
---|
Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery. |
STIG | Date |
---|---|
Application Security and Development STIG | 2014-04-03 |
Check Text ( C-2950r1_chk ) |
---|
MAC I or DoD Information Systems processing classified information, require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only - Data required to monitor for the possible use of covert channels events only MAC II DoD Information Systems processing sensitive information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only MAC III or DoD Information Systems processing publicly released information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Deletion or modification of data Audit records include: - User ID - Date and time of the event - Type of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only. - name of data object modified or deleted for deletion or modification events only 1) If all the required events and associated details are not included in the log or there is not a logging mechanism, it is a finding. *Note: The mechanism that performs auditing may be a combination of the operating system, web server, database, application, etc. Also web services may be distributed over many geographic locations; however, auditing requirements remain the same in web services as they do in a traditional application. |
Fix Text (F-17118r1_fix) |
---|
Implement logging of security-relevant events. |