The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6140	APP3690	SV-6140r1_rule	ECTP-1	Medium

Description
Excessive permissions of audit records allow cover up of intrusion or misuse of the application.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-2953r1_chk )
Locate the application audit log location. Examine the properties of the log files. For a Windows system, the NTFS file permissions should be System – Full control, Administrators and Application Administrators - Read, and Auditors - Full Control. 1) If the log files have permissions more permissive than what is listed, it is a finding. For UNIX systems, use the ls –la (or equivalent) command to check the permissions of the audit log files. 2) If excessive permissions exist, it is a finding.

Check Text ( C-2953r1_chk )

Locate the application audit log location. Examine the properties of the log files.

For a Windows system, the NTFS file permissions should be System – Full control, Administrators and Application Administrators - Read, and Auditors - Full Control.

1) If the log files have permissions more permissive than what is listed, it is a finding.

For UNIX systems, use the ls –la (or equivalent) command to check the permissions of the audit log files.

2) If excessive permissions exist, it is a finding.

Fix Text (F-4432r1_fix)
Correct permissions on application audit logs.