Title

The application server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged. (Cat II impact)

Discussion

Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be logged, as well. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component logable events. The application server must be configured to select which personnel are assigned the role of selecting which logable events are to be logged. The personnel or roles that can select logable events are only the ISSM (or individuals or roles appointed by the ISSM).

Check Content

Review application server product documentation and configuration to determine if the system only allows the ISSM (or individuals or roles appointed by the ISSM) to change logable events. If the system is not configured to perform this function, this is a finding.

Fix Text

Configure the application server to only allow the ISSM (or individuals or roles appointed by the ISSM) to change logable events.

Additional Identifiers

Rule ID: SV-204718r879560_rule

Vulnerability ID: V-204718

Group Title: SRG-APP-000090

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.