JBoss must be configured to produce log records that establish which hosted application triggered the events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213509	JBOS-AS-000120	SV-213509r615939_rule		Medium

Description
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. By default, no web logging is enabled in JBoss. Logging can be configured per web application or by virtual server. If web application logging is not set up, application activity will not be logged. Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain data containing the application identity.

Description

Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. By default, no web logging is enabled in JBoss. Logging can be configured per web application or by virtual server. If web application logging is not set up, application activity will not be logged. Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain data containing the application identity.

STIG	Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-14732r296193_chk )
Application logs are a configurable variable. Interview the system admin, and have them identify the applications that are running on the application server. Have the system admin identify the log files/location where application activity is stored. Review the log files to ensure each application is uniquely identified within the logs or each application has its own unique log file. Generate application activity by either authenticating to the application or generating an auditable event, and ensure the application activity is recorded in the log file. Recently time stamped application events are suitable evidence of compliance. If the log records do not indicate which application hosted on the application server generated the event, or if no events are recorded related to application activity, this is a finding.

Check Text ( C-14732r296193_chk )

Application logs are a configurable variable. Interview the system admin, and have them identify the applications that are running on the application server. Have the system admin identify the log files/location where application activity is stored.

Review the log files to ensure each application is uniquely identified within the logs or each application has its own unique log file.

Generate application activity by either authenticating to the application or generating an auditable event, and ensure the application activity is recorded in the log file. Recently time stamped application events are suitable evidence of compliance.

If the log records do not indicate which application hosted on the application server generated the event, or if no events are recorded related to application activity, this is a finding.

Fix Text (F-14730r296194_fix)
Configure log formatter to audit application activity so individual application activity can be identified.