Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-69471 | APSC-DV-001200 | SV-84093r1_rule | Medium |
Description |
---|
If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. The report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. This requirement is specific to applications with report generation capabilities; however, applications need to support on-demand reporting requirements. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-12-18 |
Check Text ( C-69889r1_chk ) |
---|
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application uses a centralized logging solution that performs the report generation functions, the requirement is not applicable. Create an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged. Review the report and ensure the data in the report coincides with event filters used to create the report. If the application does not have a report generation capability that supports after the fact security investigations, this is a finding. |
Fix Text (F-75647r1_fix) |
---|
Design or configure the application to provide after-the-fact report generation capability or utilize a centralized utility designed for the purpose of log management and reporting. |