The application server must configure auditing to reduce the likelihood of storage capacity being exceeded.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35105 | SRG-APP-000071-AS-000038 | SV-46392r1_rule | Low |
| Description |
|---|
| Application servers need to be cognizant of potential audit log storage capacity issues. AS auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log size thresholds are exceeded helps ensure the administrators can respond to heavy activity in a timely manner. Failure to alert increases the probability that an adversary's actions will go undetected. The AS or the configured Network Attached Storage Device (SAN) must alert administrators when audit log usage reaches a defined percentage of overall capacity. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43492r2_chk ) |
|---|
| Verify the AS sends alerts to the administrator or organization's central audit management system when the audit log size reaches an organization-defined percentage of overall capacity. If the AS is configured to use a SAN, obtain SAN configuration information that shows this requirement is being met. Review auditing configurations. If designated alerts are not sent, this is a finding. |
| Fix Text (F-39656r2_fix) |
|---|
| Configure the AS or the SAN audit feature to alert the administrator or organization's central audit management system when the audit log size reaches an organization-defined critical percentage of overall capacity. |