An error occurred:

Check: APSC-DV-000970

Application Security and Development STIG: APSC-DV-000970 (in versions v5 r3 through v4 r2)

Title

The application must log user actions involving changes to data. (Cat II impact)

Discussion

When users change/modify application data, there is risk of data compromise if the account used to access is compromised or access is granted improperly. To be able to investigate which account accessed data, the account making the data changes must be logged. Without establishing when the data change event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Check Content

Review and monitor the application logs. When modifying data, the logs are most likely database logs. If the application design documents include specific data elements that require protection, ensure any changes to those specific data elements are logged. Otherwise, a random check is sufficient. If the application uses a database configured to use Transaction SQL logging this is not a finding if the application admin can demonstrate a process for reviewing the transaction log for data changes. The process must include using the transaction log and some form of query capability to identify users and the data they changed within the application and vice versa. Utilize the application as a regular user and operate the application so as to modify a data element contained within the application. Observe and determine if the application log includes an entry to indicate the users data change event was recorded. If successful changes/modifications to application data elements are not recorded in the logs, this is a finding.

Fix Text

Configure the application to log all changes to application data.

Additional Identifiers

Rule ID: SV-222472r879563_rule

Vulnerability ID: V-222472

Group Title: SRG-APP-000095

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000130

The information system generates audit records containing information that establishes what type of event occurred.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3

Content Of Audit Records