An error occurred:

Check: SRG-APP-000109-AS-000068

Application Server SRG: SRG-APP-000109-AS-000068 (in versions v3 r4 through v2 r2)

Title

The application server must shut down by default upon log failure (unless availability is an overriding concern). (Cat II impact)

Discussion

It is critical that, when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. During a failure, the application server must be configured to shut down unless the application server is part of a high availability system. When availability is an overriding concern, other approved actions in response to a log failure are as follows: (i) If the failure was caused by the lack of log record storage capacity, the application must continue generating log records if possible (automatically restarting the log service if necessary), overwriting the oldest log records in a first-in-first-out manner. (ii) If log records are sent to a centralized collection server and communication with this server is lost or the server fails, the application must queue log records locally until communication is restored or until the log records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local log data with the collection server.

Check Content

If the application server is a high availability system, this finding is NA. Review the application server configuration settings to determine if the application server is configured to shut down on a log failure. If the application server is not configured to shut down on a log failure, this is a finding.

Fix Text

If the application server is a high availability system, this finding is NA. Configure the application server to shut down on a log failure.

Additional Identifiers

Rule ID: SV-204729r879571_rule

Vulnerability ID: V-204729

Group Title: SRG-APP-000109

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000140

The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5

Response To Audit Processing Failures