Log file data must contain required data elements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13688	WG242	SV-14282r3_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.

Description

The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-28997r1_chk )
Ask the IAO if the site or server under review is covered by either an overarching audit policy or a locally defined audit policy. In some cases, due to the sensitivity of data, more stringent logging efforts may be employed at the site or server level such as: 1. The modification, creation, or deletion of data, even if performed by authorized personnel. 2. The reading of sensitive data or access to specific directories and files, even if performed by authorized personnel such as, but not limited to, audit records. 3. The use of administrator or other privileged IDs to: a. Modify security accounts, group, or organizational policies. b. Add, create, delete, or modify security IDs. c. Change security configuration settings. Items to be logged (where feasible) with regard to web-based servers or sites are: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. Check Items: 1. Verify audit policy compliance when inspecting the log files. 2. Review the log files to ensure that the logs are current and collecting the correct data elements, according to policy. 3. Review the log files to ensure that there are no backup or transmission errors associated with the log files. If web log files do not contain the correct data elements, this is a finding.

Check Text ( C-28997r1_chk )

Ask the IAO if the site or server under review is covered by either an overarching audit policy or a locally defined audit policy. In some cases, due to the sensitivity of data, more stringent logging efforts may be employed at the site or server level such as:

1. The modification, creation, or deletion of data, even if performed by authorized personnel.
2. The reading of sensitive data or access to specific directories and files, even if performed by authorized personnel such as, but not limited to, audit records.
3. The use of administrator or other privileged IDs to:
a. Modify security accounts, group, or organizational policies.
b. Add, create, delete, or modify security IDs.
c. Change security configuration settings.

Items to be logged (where feasible) with regard to web-based servers or sites are:

• Date, Time
• IP address of the host that initiated the request
• User ID supplied for HTTP authentication
• HTTP Method
• URL in the request
• The protocol and protocol version used to make the request
• Source and destination port numbers
• Status codes for the response
• Size of the response in bytes
• HTTP Status and Referrer for the following events:

- Successful and unsuccessful attempts to access the web server software.
- Successful and unsuccessful attempts to access the web site.
- Successful and unsuccessful attempts to access the web application.

Check Items:

1. Verify audit policy compliance when inspecting the log files.
2. Review the log files to ensure that the logs are current and collecting the correct data elements, according to policy.
3. Review the log files to ensure that there are no backup or transmission errors associated with the log files.

If web log files do not contain the correct data elements, this is a finding.

Fix Text (F-13116r2_fix)
Configure the web server to ensure the log file data includes the required data elements.