Title

The application must log user actions involving access to data. (Cat II impact)

Discussion

When users access application data, there is risk of data compromise or seepage if the account used to access is compromised or access is granted improperly. To be able to investigate which account accessed data, the account access must be logged. Without establishing when the access event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Check Content

Review and monitor the application logs. When accessing data, the logs are most likely database logs. If the application design documents include specific data elements that require protection, ensure user access to those data elements are logged. Utilize the application as a regular user and operate the application so as to access data elements contained within the application. This includes using the application user interface to browse through data elements, query/search data elements and using report generation capability if it exists. Observe and determine if the application log includes an entry to indicate the user’s access to the data was recorded. If successful access to application data elements is not recorded in the logs, this is a finding.

Fix Text

Identify the specific data elements requiring protection and audit access to the data.

Additional Identifiers

Rule ID: SV-222471r879563_rule

Vulnerability ID: V-222471

Group Title: SRG-APP-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.