Navigate

Check: SRG-APP-000092-WSR-000055

Web Server SRG: SRG-APP-000092-WSR-000055 (in versions v4 r2 through v2 r2)

Title

The web server must initiate session logging upon start up. (Cat II impact)

Discussion

An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events are captured, the web server must begin logging once the first web server process is initiated.

Check Content

Review the web server documentation and deployed configuration to determine if the web server captures log data as soon as the web server is started. If the web server does not capture logable events upon startup, this is a finding.

Fix Text

Configure the web server to capture logable events upon startup.

Additional Identifiers

Rule ID: SV-206357r960888_rule

Vulnerability ID: V-206357

Group Title: SRG-APP-000092

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001464	Initiates session audits automatically at system start-up.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AU-14(1)	System Start-up