An error occurred:

Check: APSC-DV-000880

Application Security and Development STIG: APSC-DV-000880 (in versions v5 r2 through v4 r2)

Title

The application must generate audit records for all account creations, modifications, disabling, and termination events. (Cat II impact)

Discussion

When application user accounts are created, modified, disabled or terminated the event must be logged. Centralized management of user accounts allows for rapid response to user related security events and also provides ease of management. Allowing the centralized user management solution to log these events is acceptable practice; however, if the application provides a user management interface to manage these tasks, the application must also log these events. Application developers are encouraged to integrate their applications with enterprise-level authentication/access/audit mechanisms such as Syslog, Active Directory or LDAP.

Check Content

Log on to the application as an administrative user. Navigate to the user account management functionality. If no user management capability exists within the application, refer to the Enterprise Active Directory or LDAP user management interfaces. Monitor and review the log where the application's user activity is recorded. Create an application test account and then review the log to ensure a log record that documents the event is created. Modify the test account and then review the log to ensure a log record that documents the event is created. Disable the test account and then review the log to ensure a log record that documents the event is created. Terminate/Remove the test account and then review the log to ensure a log record that documents the event is created. If log events are not created that document all of these events, this is a finding. If some, but not all of the aforementioned events are documented in the logs, this is a finding. Findings should document which of the events was not logged.

Fix Text

Configure the application to log user account creation, modification, disabling, and termination events.

Additional Identifiers

Rule ID: SV-222467r508029_rule

Vulnerability ID: V-222467

Group Title: SRG-APP-000509

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation