From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000354
Associated with: CCI-001919
This is a specialized requirement for monitoring applications. Not all applications will be required to capture/record or view/hear user sessions.
Examine the application documentation and interview the application administrator to identify session capture capabilities within the application. If the application or mission requirements do not specify the capability for authorized users to select a user session to capture or hear user sessions, this requirement does not apply. Access the application interface as an authorized user and access the area of the application management functionality that activates session monitoring. Follow application instructions on how to utilize and activate session monitoring capability. Identify a test user account and activate the capture feature, then access as the test user and execute application functions. Close the test user session and examine the monitoring results to verify all of the session activity was captured. If the application does not capture/record or view/hear a user’s session as per application and mission requirements, this is a finding.
Design and configure the application to allow authorized users to capture/record and view/hear user sessions.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer