An error occurred:

Check: SRG-APP-000097-WSR-000058

Web Server SRG: SRG-APP-000097-WSR-000058 (in versions v4 r2 through v2 r2)

Title

The web server must produce log records containing sufficient information to establish where within the web server the events occurred. (Cat II impact)

Discussion

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Check Content

Review the web server documentation and deployment configuration to determine if the web server is configured to generate sufficient information to resolve in which process within the web server the log event occurred. Request a user access the hosted application and generate logable events, and then review the logs to determine if the process of the event within the web server can be established. If it cannot be determined where the event occurred, this is a finding.

Fix Text

Configure the web server to generate enough information to determine in what process within the web server the log event occurred.

Additional Identifiers

Rule ID: SV-206361r1022706_rule

Vulnerability ID: V-206361

Group Title: SRG-APP-000097

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000132

Ensure that audit records containing information that establishes where the event occurred.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3

Content of Audit Records