The application server must automatically audit account modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35733	SRG-APP-000027-AS-000019	SV-47020r1_rule		Medium

Description
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Application servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are modified.

Description

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Application servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are modified.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44076r1_chk )
Review the AS product documentation and configuration to determine if the AS automatically logs account modification. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.

Fix Text (F-40276r1_fix)
Configure the AS to automatically log account modification, if the AS utilizes an enterprise user registry, configure the registry to automatically log account modification.