The application server must automatically audit account creation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35727	SRG-APP-000026-AS-000018	SV-47014r1_rule		Medium

Description
Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.

Description

Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44070r1_chk )
Review the AS product documentation and configuration to determine if the AS automatically logs account creation. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.

Fix Text (F-40270r1_fix)
Configure the AS to automatically log account creation, if the AS utilizes an enterprise user registry, configure the registry to automatically log account creation.