Check: APSC-DV-001100
Application Security and Development STIG:
APSC-DV-001100
(in versions v5 r3 through v4 r2)
Title
Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events. (Cat II impact)
Discussion
Applications that are categorized as having a high or moderate impact on the organization must provide immediate alerts when encountering failures with the application audit system. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. While alerts provide organizations with urgent messages containing important information regarding application audit log activity, real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or no more than 1-2 minutes). Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Check Content
Review system documentation and interview application administrator for details regarding application security categorization and logging configuration. If the application utilizes a centralized logging system that provides the real-time alarms, this requirement is not applicable. Review application log alert configuration. Identify audit failure events and associated alarming configuration. If the application is categorized as having a moderate or high impact and is not configured to provide a real-time alert that indicates the audit system has failed or is failing, this is a finding.
Fix Text
Configure the log alerts to send an alarm when the audit system is in danger of failing or has failed. Configure the log alerts to be immediately sent to the application admin/SA and ISSO.
Additional Identifiers
Rule ID: SV-222484r879733_rule
Vulnerability ID: V-222484
Group Title: SRG-APP-000360
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
Controls
Number | Title |
---|---|
AU-5 (2) |
Real-Time Alerts |