Title

The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. (Cat II impact)

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.

Check Content

Review the web server documentation and deployment configuration settings to determine if the web server log system provides a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum record storage capacity. If designated alerts are not sent or the web server is not configured to use a dedicated log tool that meets this requirement, this is a finding.

Fix Text

Configure the web server to provide a warning to the ISSO and SA when allocated log record storage volume reaches 75% of maximum record storage capacity.

Additional Identifiers

Rule ID: SV-206424r961398_rule

Vulnerability ID: V-206424

Group Title: SRG-APP-000359

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.