Check: IDMS-DB-000170
CA IDMS STIG:
IDMS-DB-000170
(in versions v1 r2 through v1 r1)
Title
IDMS must protect against the use of web-based applications that use generic IDs. (Cat III impact)
Discussion
Web-based applications that allow a generic ID can be a door into IDMS allowing unauthorized changes whose authors may not be determined.
Check Content
If there are web-based applications to which individual users sign on, and a generic ID associated with the application is used to access back-end IDMS databases, this is a finding.
Fix Text
For web-based applications using generic IDs, set the individual user ID (external identity) to be recorded in the journal. For JDBC applications, use the "IdmsConnection setIdentity" method. For ODBC applications, use the "SQLSetConnectAttr" function with the IDMS_ATTR_EXTERNAL_IDENTITY attribute type. Run journal report "JREPORT 010" and" JREPORT 008" to audit the individual user ID.
Additional Identifiers
Rule ID: SV-251597r808349_rule
Vulnerability ID: V-251597
Group Title: SRG-APP-000080-DB-000063
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
Controls
| Number | Title |
|---|---|
| AU-10 |
Non-Repudiation |