Title

When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. (Cat II impact)

Discussion

Without establishing the source, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In the case of centralized logging, or other instances where log files are consolidated, there is risk that the application's log data could be co-mingled with other log data. To address this issue, the application itself must be identified as well as the application host or client name. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging. Associating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Check Content

If the application is logging locally and does not utilize a centralized logging solution, this requirement is not applicable. Review system documentation and identify log location. Access the application logs. Review the application logs. Ensure the application is uniquely identified either within the logs themselves or via log storage mechanisms. Ensure the hosts or client names hosting the application are also identified. Either hostname or IP address is acceptable. If the application name and the hosts or client names are not identified, this is a finding.

Fix Text

Configure the application logs or the centralized log storage facility so the application name and the hosts hosting the application are uniquely identified in the logs.

Additional Identifiers

Rule ID: SV-222475r879566_rule

Vulnerability ID: V-222475

Group Title: SRG-APP-000098

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.