Title

The application must provide audit record generation capability for connecting system IP addresses. (Cat II impact)

Discussion

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. The IP addresses of remote systems that connect to the application are an important aspect of identifying the sources of application activity. Recording these IP addresses in the application logs provides forensic evidence and aids in investigating and identifying sources of malicious behavior related to security events.

Check Content

Review the application documentation and interview the application administrator to identify where audit logs are stored. Review audit logs and determine if the IP address information of systems that connect to the application is kept in the logs. If connecting IP addresses are not seen in the logs, connect to the application remotely and review the logs to determine if the connection was logged. If the IP addresses of the systems that connect to the application are not recorded in the logs, this is a finding.

Fix Text

Configure the application or application server to log all connecting IP address information

Additional Identifiers

Rule ID: SV-222448r879559_rule

Vulnerability ID: V-222448

Group Title: SRG-APP-000089

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.