The designer will ensure the application design includes audits on all access to need-to-know information and key application events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6138	APP3680	SV-6138r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2950r1_chk )
MAC I or DoD Information Systems processing classified information, require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only - Data required to monitor for the possible use of covert channels events only MAC II DoD Information Systems processing sensitive information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only MAC III or DoD Information Systems processing publicly released information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Deletion or modification of data Audit records include: - User ID - Date and time of the event - Type of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only. - name of data object modified or deleted for deletion or modification events only 1) If all the required events and associated details are not included in the log or there is not a logging mechanism, it is a finding. *Note: The mechanism that performs auditing may be a combination of the operating system, web server, database, application, etc. Also web services may be distributed over many geographic locations; however, auditing requirements remain the same in web services as they do in a traditional application.

Check Text ( C-2950r1_chk )

MAC I or DoD Information Systems processing classified information, require the following events and data for auditing.

Types of events are:
- Successful and unsuccessful attempts to access security files.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
- Possible use of covert channel mechanisms.
- Privileged activities and other system-level access.
- Starting and ending time for access to the system.
- Security relevant actions associated with periods processing or the changing of security labels or categories of information.
- Deletion or modification of data.

Audit records include:
- User ID
- Date and time of the event
- Type of event
- Success or failure of event
- origin of request (e.g., originating host’s IP address) for Identification and Authentication events only
- name of data object modified or deleted for deletion or modification events only
- reason user is blocked or blacklisted for blocking or blacklisting events only
- Data required to monitor for the possible use of covert channels events only

MAC II DoD Information Systems processing sensitive information require the following events and data for auditing.

Types of events are:
- Successful and unsuccessful attempts to access security files.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
- Deletion or modification of data.

Audit records include:
- User ID
- Date and time of the event
- Type of event
- Success or failure of event
- origin of request (e.g., originating host’s IP address) for Identification and Authentication events only
- name of data object modified or deleted for deletion or modification events only
- reason user is blocked or blacklisted for blocking or blacklisting events only

MAC III or DoD Information Systems processing publicly released information require the following events and data for auditing.

Types of events are:
- Successful and unsuccessful attempts to access security files.
- Deletion or modification of data

Audit records include:
- User ID
- Date and time of the event
- Type of event
- origin of request (e.g., originating host’s IP address) for Identification and Authentication events only.
- name of data object modified or deleted for deletion or modification events only

1) If all the required events and associated details are not included in the log or there is not a logging mechanism, it is a finding.

*Note: The mechanism that performs auditing may be a combination of the operating system, web server, database, application, etc. Also web services may be distributed over many geographic locations; however, auditing requirements remain the same in web services as they do in a traditional application.

Fix Text (F-17118r1_fix)
Implement logging of security-relevant events.