The application server must automatically monitor on atypical usage of accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35736	SRG-APP-000030-AS-000022	SV-47023r1_rule		Medium

Description
Atypical account usage is behavior that is not part of normal usage cycles, for example, user account activity occurring after hours or on weekends. Such a process greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes. Application servers do not natively monitor for atypical account usage so they must be able to log account usage and provide that data to enterprise tools that are designed to monitor for atypical account behavior.

Description

Atypical account usage is behavior that is not part of normal usage cycles, for example, user account activity occurring after hours or on weekends. Such a process greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes. Application servers do not natively monitor for atypical account usage so they must be able to log account usage and provide that data to enterprise tools that are designed to monitor for atypical account behavior.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44079r1_chk )
Review the AS product documentation and configuration to determine if the AS is configured to log account usage and provide that log data in a standardized log format. If the AS is not configured to provide account usage logs in a standardized format for external tool consumption, this is a finding.

Fix Text (F-40279r1_fix)
Configure the AS to log account usage and, if necessary, to forward log data to systems that will evaluate log data for atypical usage.