Title

The application must generate audit records for privileged activities or other system-level access. (Cat II impact)

Discussion

Privileged activities include the tasks or actions taken by users in an administrative role (admin, backup operator, manager, etc.) which are used to manage or reconfigure application function. Examples include but are not limited to: Modifying application logging verbosity, starting or stopping of application services, application user account management, managing application functionality, or otherwise changing the underlying application capabilities such as adding a new application module or plugin. Privileged access does not include an application design which does not modify the application but does provide users with the functionality or the ability to manage their own user specific preferences or otherwise tailor the application to suit individual user needs based upon choices or selections built into the application.

Check Content

Review and monitor the application logs. Authenticate to the application as a privileged user and observe if the log includes an entry to indicate the user’s authentication was successful. Perform actions as an admin or other privileged user such as modifying the logging verbosity, or starting or stopping an application service, or terminating a test user session. If log events that correspond with the actions performed are not recorded in the logs, this is a finding.

Fix Text

Configure the application to write a log entry when privileged activities or other system-level events occur.

Additional Identifiers

Rule ID: SV-222463r879875_rule

Vulnerability ID: V-222463

Group Title: SRG-APP-000504

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.