The application server must provide a user role which designates which organizational personnel select auditable events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35142	SRG-APP-000090-AS-000051	SV-46429r1_rule		Low

Description
Audit records can be generated from various components within the application server, (e.g. , httpd, beans, etc.) From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component auditable events. The AS must be configured to select which personnel are assigned the role of selecting which auditable events are to be audited.

Description

Audit records can be generated from various components within the application server, (e.g. , httpd, beans, etc.) From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component auditable events. The AS must be configured to select which personnel are assigned the role of selecting which auditable events are to be audited.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43529r1_chk )
Review AS product documentation and configuration to determine if the system is configured to assign personnel to a role responsible for selecting auditable events. If the system is not configured to perform this function this is a finding.

Fix Text (F-39693r1_fix)
Configure the AS by assigning organizational personnel to the role which selects and controls auditable events on the AS.