The application must provide audit record generation capability for connecting system IP addresses.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69377	APSC-DV-000690	SV-83999r1_rule		Medium

Description
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. The IP addresses of remote systems that connect to the application are an important aspect of identifying the sources of application activity. Recording these IP addresses in the application logs provides forensic evidence and aids in investigating and identifying sources of malicious behavior related to security events.

Description

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. The IP addresses of remote systems that connect to the application are an important aspect of identifying the sources of application activity. Recording these IP addresses in the application logs provides forensic evidence and aids in investigating and identifying sources of malicious behavior related to security events.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2017-03-20

Details

Check Text ( C-69791r1_chk )
Review the application documentation and interview the application administrator to identify where audit logs are stored. Review audit logs and determine if the IP address information of systems that connect to the application is kept in the logs. If connecting IP addresses are not seen in the logs, connect to the application remotely and review the logs to determine if the connection was logged. If the IP addresses of the systems that connect to the application are not recorded in the logs, this is a finding.

Check Text ( C-69791r1_chk )

Review the application documentation and interview the application administrator to identify where audit logs are stored.

Review audit logs and determine if the IP address information of systems that connect to the application is kept in the logs.

If connecting IP addresses are not seen in the logs, connect to the application remotely and review the logs to determine if the connection was logged.

If the IP addresses of the systems that connect to the application are not recorded in the logs, this is a finding.

Fix Text (F-75551r1_fix)
Configure the application or application server to log all connecting IP address information