Title

The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. (Cat II impact)

Discussion

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Event identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.

Check Content

Review system documentation and discuss application operation with application administrator. Identify application processes and application users. Identify application components, e.g., application features framework and function. Identify server components, such as web server, database server. Review application logs. Ensure the application event logs include an identifier or identifiers that will allow an investigator to determine the user or the application process responsible for the application event. If the event logs do not include the appropriate identifier or identifiers, this is a finding.

Fix Text

Configure the application to log the identity of the user and/or the process associated with the event.

Additional Identifiers

Rule ID: SV-222477r879568_rule

Vulnerability ID: V-222477

Group Title: SRG-APP-000100

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.