From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000177
Associated with: CCI-000187
Without mapping the certificate used to authenticate to a corresponding user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users. Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information. If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user. If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.
Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer