Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-69417 | APSC-DV-000900 | SV-84039r1_rule | Medium |
Description |
---|
This is a specialized requirement for monitoring applications. Not all applications will be required to capture/record or view/hear user sessions. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-01-09 |
Check Text ( C-69835r1_chk ) |
---|
Examine the application documentation and interview the application administrator to identify session capture capabilities within the application. If the application or mission requirements do not specify the capability for authorized users to select a user session to capture or hear user sessions, this requirement does not apply. Access the application interface as an authorized user and access the area of the application management functionality that activates session monitoring. Follow application instructions on how to utilize and activate session monitoring capability. Identify a test user account and activate the capture feature, then access as the test user and execute application functions. Close the test user session and examine the monitoring results to verify all of the session activity was captured. If the application does not capture/record or view/hear a user’s session as per application and mission requirements, this is a finding. |
Fix Text (F-75593r1_fix) |
---|
Design and configure the application to allow authorized users to capture/record and view/hear user sessions. |