The application server must automatically audit account disabling actions and notify appropriate individuals.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35734	SRG-APP-000028-AS-000020	SV-47021r1_rule		Medium

Description
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. Application servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are disabled.

Description

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. Application servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are disabled.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44077r1_chk )
Review the AS product documentation and configuration to determine if the AS automatically logs when accounts are disabled and notifies appropriate individuals. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.

Fix Text (F-40277r1_fix)
Configure the AS to automatically log and notify when accounts are disabled. If the AS utilizes an enterprise user registry, configure the registry to automatically log and notify appropriate individuals when accounts are disabled.