Title

Web server access logs are generated and retained according to DoDI 8500.2 requirements. (Cat III impact)

Discussion

Audit trails (logs) are required, as a minimum, to determine accountability according to DoDI 8500.2. They also provide the accountability functionality of a C2-level trusted requirement. Auditing (logging) provides an investigative tool to detect misuse of the system and has been used as evidence to convict individuals of computer crimes.

Check Content

The intent of this check is to verify that audit logs generated by web server software (e.g., IIS, Apache, etc.) are retained according to DoDI 8500.2 requirements. This requirement should be a part of either the hosting agency’s SOP or a local audit policy. Logging element requirements for the web server are covered in technical checks. Since web server software relies on the OS to process log events, the OS STIGS will govern all methodologies and policies related to access, handling and storage, transit, and processing. This check only addresses minimum retention periods for web server logs. An MOU or an SLA may require more restrictive retention periods such as those that deal with access to Sources and Methods Intelligence (SAMI) data as defined in DoDI 8500.2. This check does not affect requirements as may be specified in a MOU or an SLA between a hosting agency and an information owner as long as minimum retention periods are achieved. Auditable events and policies, such as those that may be specified by the Application Security and Development STIG, are governed by that STIG. Event logs and policies that may be required by other STIGs will still be governed by those STIGs. The reviewer will work with the IAO, the SA, or the web administrator to verify that audit logs, as generated by the web server software, are retained according to the following requirement: 1. SAMI access will be retained for a minimum of 5 years. 2. Other access will be retained for a period of 1 year. If the reviewer cannot ascertain the retention period for web server logs, this is a finding.

Fix Text

Archive web server access logs for at least 1 year. In the case of SAMI information, the requirement is 5 years.

Additional Identifiers

Rule ID: SV-28790r1_rule

Vulnerability ID: V-23844

Group Title: Audit Log Retention

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.