The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.

From Application Security and Development Security Technical Implementation Guide

Part of SRG-APP-000097

Associated with: CCI-000132

SV-84053r1_rule The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.

Vulnerability discussion

It is impossible to establish, correlate, and investigate the events relating to an incident if the details regarding the source of the event it not available.In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where within the application the events occurred, such as which application component, application modules, filenames, and functionality.Associating information about where the event occurred within the application provides a means of quickly investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Check content

Review application administration and/or design documents. Identify key aspects of application architecture objects and components, e.g., Web Server, Application server, Database server. Interview the application administrator and identify the log locations. Access the application logs and review the log entries for events that indicate the application is auditing the internal components, objects, or functions of the application. Confirm the event logs provide information as to which component, feature, or functionality of the application triggered the event. Examples of the types of events to look for are as follows: - Application and Protocol events. e.g., Application loads or unloads and Protocol use. - Data Access events. e.g., Database connections. Events could include reference to database library or executable initiating connectivity: - Middleware events. e.g., Source code initiating calls or being invoked. - Name of application modules being loaded or unloaded. - Library loads and unloads. - Application deployment activity. Events written into the log must be able to be traced back to the originating component, feature or function name, service name, application name, library name etcetera in order to establish which aspect of the application triggered the event. If the audit logs do not contain enough data in the logs to establish which component, feature or functionality of the application triggered the event, this is a finding.

Fix text

Configure the application to log which component, feature or functionality of the application triggered the event.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer