The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of application server log data.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35426 | SRG-APP-000231-AS-000156 | SV-46713r1_rule | Medium |
| Description |
|---|
| This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Application servers generate information throughout the course of their use, most notably, log data. Application servers must provide the capability to protect log data so as to ensure confidentiality and integrity. Configuring the AS to utilize an external log management system that provides this capability is also acceptable practice. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43777r1_chk ) |
|---|
| Review the AS configuration to ensure the system is protecting the confidentiality and integrity of AS log data. If the AS is configured to use an external log collection tool, review tool documentation and configuration to verify the tool meets the requirement. If the AS is not configured to protect its log data, or does not utilize an external log collection solution that provides this capability, this is a finding. |
| Fix Text (F-39970r2_fix) |
|---|
| Configure the AS to employ cryptographic mechanisms to ensure confidentiality and integrity of application server data. |