The application must map the authenticated identity to the individual user or group account for PKI-based authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70153	APSC-DV-001830	SV-84775r1_rule		Medium

Description
Without mapping the certificate used to authenticate to a corresponding user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Some CAs will include identifying information like an email address within the certificate itself. When the email is assigned to an individual, this helps to identify the individual user who has been assigned the certificate. When identifying information is not available within the certificate itself, the application must provide a mapping that allows administrators to quickly determine who the owner of the certificate is. When responding to a security incident, particularly involving user access violations, time is of the essence so this information must be readily available to investigators.

Description

Without mapping the certificate used to authenticate to a corresponding user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Some CAs will include identifying information like an email address within the certificate itself. When the email is assigned to an individual, this helps to identify the individual user who has been assigned the certificate. When identifying information is not available within the certificate itself, the application must provide a mapping that allows administrators to quickly determine who the owner of the certificate is. When responding to a security incident, particularly involving user access violations, time is of the essence so this information must be readily available to investigators.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2018-04-03

Details

Check Text ( C-70629r1_chk )
Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users. Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information. If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user. If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.

Check Text ( C-70629r1_chk )

Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users.

Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information.

If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user.

If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.

Fix Text (F-76389r1_fix)
Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs.