The application server must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35139	SRG-APP-000086-AS-000048	SV-46426r1_rule		Low

Description
Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the AS to utilize an external auditing tool that provides this capability.

Description

Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the AS to utilize an external auditing tool that provides this capability.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43526r1_chk )
Review the AS audit feature configuration to determine if the AS can compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance. If the AS does not meet this requirement, or cannot be configured to utilize an external tool that provides this capability, this is a finding.

Check Text ( C-43526r1_chk )

Review the AS audit feature configuration to determine if the AS can compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance. If the AS does not meet this requirement, or cannot be configured to utilize an external tool that provides this capability, this is a finding.

Fix Text (F-39690r1_fix)
Configure the AS to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time correlated or configure the AS to utilize an external auditing tool designed to meet this requirement.