Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management. Utilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings. Ensure the number of sessions allowed per user is specified in accordance with the organizational requirements. For development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions. If the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding.
Design and configure the application to specify the number of logon sessions that are allowed per user.
Review application design documentation and interview application administrator to identify how the application makes use of temporary client storage and cookies. Identify cookie and web storage locations on the client. Clear all browser cookies and web cache. Log on to the application and perform several standard operations, noting if the application ever prompts the user to accept a cookie. If prompted by the browser to save the user ID and password (decline to save the user ID and password), this is a finding. Log out of the application and close the browser. Reopen the browser and examine the stored cookies. The cookies displayed should be related to the application website. The procedure to view cookies will vary according to the browser used. Some modern browsers are making use of SQLite databases to store cookie data so use of a SQLite db reader/browser may be required. Open the cookies related to the application website and search for any identification or authentication information. While authentication information can vary on a per application basis, this is most often specified as "username=x", or "password=x". If the web application prompts the user to save their password, or if a username or password value exists within a cookie or within local storage locations, even if hashed, this is a finding. The application may use means other than cookies to store user information. If the reviewer detects an alternative mechanism for storing information locally, examine the data storage to ensure no authentication or other sensitive information is present.
Design and configure the application to clear sensitive data from cookies and local storage when the user logs out of the application.
Ask the application representative to demonstrate the configuration setting where the idle time out value is defined. Alternatively, logon with a regular application user account and let the session sit idle for 15 minutes. Attempt to access the application after 15 minutes of inactivity. If the configuration setting is not set to time out user sessions after 15 minutes of inactivity, or if the regular user session used for testing does not time out after 15 minutes of inactivity, this is a finding.
Design and configure the application to terminate the non-privileged users session after 15 minutes of inactivity.
Ask the application representative to demonstrate the application configuration setting where the idle time out value is defined for admin users. Alternatively, logon with an admin user account and let the session sit idle for 10 minutes. Attempt to access the application after 10 minutes of inactivity. If the configuration setting is not set to time out admin user sessions after 10 minutes of inactivity, or if the session used for testing does not time out after 10 minutes of inactivity, this is a finding.
Design and configure the application to terminate the admin users session after 10 minutes of inactivity.
If the application does not provide an interface for interactive user access, this is not applicable. Log on to the application with a valid user account. Examine the user interface. Identify the command or link that provides the logoff function. Activate the user logoff function. Observe user interface and attempt to interact with the application. Confirm user interaction with the application is no longer possible. If the user session is not terminated or if the logoff function does not exist, this is a finding.
Design and configure the application to provide all users with the capability to manually terminate their application session.
If the application does not provide an interface for interactive user access, this is not applicable. Log on to the application with a valid user account. Examine the user interface. Identify the command or link that provides the logoff function. Activate the user logoff function. If the application does not provide an explicit logoff message indicating the user session has been terminated, this is a finding.
Design and configure the application to provide an explicit logoff message to users indicating a successful logoff has occurred upon user session termination.
Review the application documentation and interview the application administrator. Determine if the application processes classified, FOUO, or other data that is required to be marked and identify if the application requirements specify data markings of any other types of data. If the application does not contain classified, FOUO, or other data that is required to be marked, this requirement is not applicable. Review the database or other storage mechanism and have the application administrator identify and demonstrate how the application assigns and maintains data markings while the data is in storage. Typical methods for marking data include utilizing a table or data base field that contains the marking information and associating the marking information with the data. If application data required to be marked is not marked and does not retain its marking while it is being stored, this is a finding.
Design and configure the application to assign data marking and ensure the marking is retained when the data is stored.
Review the application documentation and interview the application administrator. Identify if the application requirements include data marking. Also determine if the application processes classified, FOUO or other data that is required to be marked. If the application does not contain classified, FOUO or have data marking requirements, this requirement is not applicable. Access the user interface for the application and navigate through the application. Perform several application actions that will manipulate data contained within the application. For example, create a test record and assign a data marking to the data element. Save the test record, close the data entry fields and navigate to display the test record. Perform an edit action on the test data that does not edit the marking itself or perform any other form of data processing such as assigning the data to another users work queue for review or printing the data, ensure the data marking is retained throughout the data processing actions. If application data required to be marked does not retain its marking while it is being processed by the application, this is a finding.
Design and configure the application to retain the data marking when processing data.
Review the application documentation and interview the application administrator. Identify if the application requirements include data marking also determine if the application processes classified, FOUO or other data that is required to be marked. Access the user interface for the application and navigate through the application. Perform an application action that will transmit marked data that is contained within the application. If the application does not contain classified, FOUO or have data marking requirements, or if the application does not transmit data, this requirement is not applicable. E.g., create a test record and assign a data marking to the data element. Save the test record, close the data entry fields and navigate to display the test record. Initiate the application processes to transmit data. Access remote system or have person with access to remote system verify the data marking is retained after the data transmission. If application data required to be marked does not retain its marking when it is being transmitted by the application, this is a finding.
Design and configure the application to retain the data marking when transmitting data.
Review the application documentation and interview the system administrator. Identify the application encryption capabilities and methods for implementing encryption protection. For web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session. For non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS. If the connection is not secured with TLS, this is a finding.
Design and configure applications to use TLS encryption to protect the confidentiality of remote access sessions.
Review the application documentation and interview the system administrator. Identify the application encryption capabilities and methods for implementing encryption protection. For web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session. For non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS. If the connection is not secured with TLS, this is a finding.
Design and configure applications to use TLS encryption to protect the integrity of remote access sessions.
Review the application documentation, system security plan, application architecture diagrams and interview the application administrator. Review the design document for web services using SOAP messages. If the application does not utilize SOAP messages, this check is not applicable. Review the design document and SOAP messages. Verify the Message ID, Service Request, Timestamp, and SAML Assertion are included in the SOAP message. If they are included, verify they are signed with a certificate. If SOAP messages requiring integrity do not have the Message ID, Service Request, Timestamp, and SAML Assertion signed, or if any part of the message is not digitally signed, this is a finding.
Design and configure the application to sign the following message elements for SOAP messages requiring integrity: - Message ID - Service Request - Timestamp - SAML Assertion - Message elements
Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. If the application does not utilize WS-Security tokens, this check is not applicable. Examine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration. If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.
Design and configure applications using WS-Security messages to use time stamps with creation and expiration times and sequence numbers.
Ask the application representative for the design document. Review the design document for web services. If the application does not utilize WSS or SAML assertions, this requirement is not applicable. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions. If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, this is a finding.
Design and configure the application to use validity periods, ensure validity periods are verified on all WS-Security token profiles and SAML Assertions.
Ask the application representative for the design document. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable. Review the design document and verify SAML assertion identifiers are not reused by a single asserting party. If the design document does not exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, this is a finding.
Design and configure each SAML assertion authority to use unique assertion identifiers.
Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. If the application does not utilize WS-Security tokens, this check is not applicable. Verify all WS-Security tokens are transmitted via an approved encryption method. If the design document does not exist, or does not indicate all WS-Security tokens are only transmitted via an approved encryption method, this is a finding.
Encrypt assertions or use equivalent confidentiality when sensitive assertion data is passed through an intermediary.
Ask the application representative for the design document. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable. Examine the contents of a SOAP message using the <SubjectConfirmation> element. All messages should contain the <NotOnOrAfter> element. This can be accomplished if the application allows the ability to view XML messages or via a protocol analyzer like Wireshark. If SOAP messages do not contain <NotOnOrAfter> elements, this is a finding.
Design and configure the application to use the <NotOnOrAfter> condition when using the <SubjectConfirmation> element in a SAML assertion.
Ask the application representative for the design document. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable. Examine the contents of a SOAP message using the <Conditions> element; all messages should contain the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> element when in a SAML Assertion. This can be accomplished using a protocol analyzer such as Wireshark. If SOAP using the <Conditions> element does not contain <NotBefore> and <NotOnOrAfter> or <OneTimeUse> elements, this is a finding.
Design and configure the application to implement the use of the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> when using the <Conditions> element in a SAML assertion.
Ask the application representative for the design document. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable. Examine the contents of a SOAP message using the OneTimeUse element; all messages should contain only one instance of a <OneTimeUse> element in a SAML assertion. This can be accomplished using a protocol analyzer such as Wireshark. If SOAP message uses more than one, OneTimeUse element in a SAML assertion, this is a finding.
When using OneTimeUse elements in a SAML assertion only allow one, OneTimeUse element to be used in the conditions element of a SAML assertion.
Ask the application representative for the design document. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable. Examine the contents of a SOAP message using a SessionIndex in the SAML element AuthnStatement. Verify the information which is tied to the SessionIndex. If the SessionIndex is tied to privacy information, and it is not encrypted, this is a finding.
Encrypt messages when the SessionIndex is tied to privacy data.
Review the application documentation and interview the application administrator. Identify the account management methods, processes and procedures that are used. If the application is utilizing a centralized authentication mechanism such as Active Directory or LDAP, verify all user account activity is conducted via that solution and no local user accounts that circumvent the automated solution are used. Determine if automated mechanisms are used when managing application user accounts and taking management action on application user accounts. Automated methods include but are not limited to: Taking action on accounts that have been determined to be inactive, suspended, terminated, or disabled. Automated action examples include: deleting such accounts, reactivating accounts in conjunction with a validation or verification process, or sending notifications or reminders to the account holders that their account is about to be disabled or deleted. Verify the action that is taken is automated and repeatable. If the account management process is manual in nature, this is a finding.
Use automated processes and mechanisms for account management functions.
Review the application documentation and determine if there is a requirement for shared or group accounts. If there is no official requirement for shared or group application accounts, this requirement is not applicable. Interview the application representative and identify shared/group accounts. Have the application representative provide their procedures for account management as it pertains to group users. Validate there is a procedure for deleting either member accounts or the entire group account when member leave the group. If there is no process for handling group account credentials, this is a finding.
Create a procedure for deleting either member accounts or the entire group account when members leave the group.
If official documentation exist that disallows the use of temporary user accounts within the application, this requirement is not applicable. Examine the application documentation or interview the application representative to identify how the application users are managed. Navigate to the screen where user accounts are configured. Create a test account and determine if there is a setting to specify the user account as being temporary in nature. Determine if there is an available setting to expire the account after a period of time. If the application has no ability to specify a user account as being temporary in nature, or if the account has no ability to automatically disable or remove the account after 72 hours after account creation, this is a finding.
Configure temporary accounts to be automatically removed or disabled after 72 hours after account creation.
Review the application documentation and interview the application administrator. Identify if emergency accounts are ever used. If emergency accounts are not used, this requirement is not applicable. If emergency accounts are used, validate a procedure, process, feature or function exists that will prevent the emergency account from being deleted or disabled during a crisis situation. Examples include but are not limited to adding a flag to the account to ensure it is not deleted during a specified emergency period or placing the account in a designated group that is monitored and controlled in accordance with the crisis. If a process, procedure, function or feature designed to prevent emergency accounts from being deleted or disabled during a crisis situation is not available, this is a finding.
Identify accounts that are created in an emergency situation and ensure procedures or processes are in place to prevent disabling or deleting the account while the emergency is underway.
Examine the application documentation or interview the application representative to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory (AD) for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. If the application handles the management tasks for user accounts, access the applications user management utility. Navigate to the screen where user accounts are configured to be disabled after 35 days of inactivity. Confirm this setting is active. If the application is not set to expire inactive accounts after 35 days, or if the application has no ability to expire accounts after 35 days of inactivity, this is a finding.
Design and configure the application to expire user accounts after 35 days of inactivity.
Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement. Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers. Have the application administrator identify and validate all user accounts. If any accounts cannot be validated and are deemed to be unnecessary, this is a finding.
Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts.
Examine the application documentation to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and create a new user account. Examine the log file again and determine if the account creation event was logged. The information logged should, at a minimum, include enough detail to determine which account was created and when. If the account creation event was not logged, this is a finding.
Configure the application to write a log entry when a new user account is created. At a minimum, ensure account name, date and time of the event are recorded.
Examine the application documentation to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and modify a test user account. Examine the log file again and determine if the account event was logged. The information logged should, at a minimum, include enough detail to determine which account was modified and when. If the account modification event information was not logged, this is a finding.
Configure the application to write a log entry when a user account is modified. At a minimum, ensure account name, date and time of the event are recorded.
Examine the application documentation to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and disable a test user account. Examine the log file again and determine if the account disable event was logged. The information logged should, at a minimum, include enough detail to determine which account was disabled and when. If the account disabling event information was not logged, this is a finding.
Configure the application to write a log entry when a user account is disabled. At a minimum, ensure account name, date and time of the event are recorded.
Examine the application documentation to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and remove a test user account. Examine the log file again and determine if the account removal event was logged. The information logged should, at a minimum, include enough detail to determine which account was disabled and when. If the account removal event information was not logged, this is a finding.
Configure the application to write a log entry when a user account is removed. At a minimum, ensure account name, date and time of the event are recorded.
Review the application and system documentation. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Ensure the application is configured to notify system administrators when new accounts are created by identifying system administrators who will be notified when new accounts are created, creating a test account and checking with system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are created, this is a finding.
Configure the application to notify the system administrator and the ISSO when application accounts are created.
Review the application and system documentation. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Ensure the application is configured to notify system administrators when accounts are modified by identifying system administrators who will be notified when accounts are modified. Modify a test account and check with a system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are modified, this is a finding.
Configure the application to notify the system administrator and the ISSO when application accounts are modified.
Review the application and system documentation. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Ensure application is configured to notify system administrators when accounts are disabled by identifying system administrators who will be notified when accounts are disabled. Disable a test account and check with a system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are disabled, this is a finding.
Configure the application to notify the system administrator and the ISSO when application accounts are disabled.
Review the application and system documentation. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Ensure application is configured to notify system administrators when accounts are removed by identifying system administrators who will be notified when accounts are removed. Remove a test account and check with a system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are removed, this is a finding.
Configure the application to notify the system administrator and the ISSO when application accounts are removed.
Examine the application documentation or interview the application representative to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system such as Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and enable a test user account. Examine the log file again and determine if the account enable event was logged. The information logged should, at a minimum, include enough detail to determine which account was enabled and when. If the account enabling event information was not logged, this is a finding.
Configure the application to write a log entry when a user account is enabled. At a minimum, ensure account name, date and time of the event are recorded.
Review the application and system documentation. Interview application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Ensure application is configured to notify system administrators when accounts are enabled by identifying system administrators who will be notified when accounts are enabled. Disable and then enable a test account and check with system administrator to verify notification was received to indicate the account was enabled. If system administrators and ISSOs are not notified when accounts are enabled, this is a finding.
Configure the application to notify the system administrator and the ISSO when application accounts are enabled.
Ask the application representative for the documentation that identifies the application data elements, the protection requirements, and any associated steps that are being taken to protect the data. If the application data protection requirements are not documented, this is a finding.
Identify and document the application data elements and the data protection requirements.
Review the security plan, application and system documentation and interview the application administrator to identify data mining protections that are required of the application. If there are no data mining protections required, this requirement is not applicable. Review the application authentication requirements and permissions. Review documented protections that have been established to protect from data mining. This can include limiting the number of queries allowed. Automated alarming on atypical query events. Limiting the number of records allowed to be returned in a query. Not allowing data dumps. If the application requirements specify protections for data mining and the application administrator is unable to identify or demonstrate that the protections are in place, this is a finding.
Utilize and implement data mining protections when requirements specify it.
Review the application documentation and interview the application administrator. Review application data protection requirements. Identify application resources that require protection and authentication over and above the authentication required to access the application itself. This can be access to a URL, a folder, a file, a process or a database record that should only be available to certain individuals. Identify the access control methods utilized by the application in order to control access to the resource. Examples include Role-Based Access Control policies (RBAC). Using RBAC as an example, utilize a test account placed into a test role. Set a protection control on a resource and explicitly deny access to the role assigned to the test user account. Try to access an application resource that is not configured to allow access. Access should be denied. If the enforcement of configured access restrictions is not performed, this is a finding.
Design or configure the application to enforce access to application resources.
Review the application documentation and interview the application administrator. Review application data protection requirements and application integrated access control methods. Identify if the application implements discretionary access control to application resources. Discretionary Access Controls (DAC) allows application users to determine and set permissions on application data and application objects. The result is the user is given the ability to control who has access to the data they control. If the application does not implement discretionary access controls, this requirement is not applicable. Resources can be a URL, a folder, a file, a process, a database record, or any other application asset that warrants sharing or authorization permission reassignment. Create 3 test accounts. Using test account 1 set protection control on a test user 1 controlled resource. Grant access to test user 2 and only test user 2. Authenticate as test user 3 and attempt to access the application resource where test user 1 and test user 2 are granted access. Access should be denied. If the enforcement of configured access restrictions is not performed, this is a finding.
Design and configure the application to enforce discretionary access control policies.
Review the application documentation and interview the application and system administrators. Review application features and functions to determine if the application is designed to control the flow of information within the system. Identify: - rulesets, - data labels, and - policies to determine if the application is designed to control the flow of data within the system. If the application does not provide data flow control capabilities, the requirement is not applicable. Access the system as a user with access rights that allow the creation of test data or use of existing test data. Create a test data set and label the data with a data label provided with or by the application, e.g., Personally Identifiable Information (PII) data. Review the policy to determine where in the system the PII labeled data is allowed and is not allowed to go. Using application features and functions, attempt to transmit the labeled data to an area that is prohibited by policy. Verify the flow control policy was enforced and the data was not transmitted. If the application does not enforce the approved authorizations for controlling data flow, this is a finding.
Configure the application to enforce data flow control in accordance with data flow control policies.
Review the application documentation and interview the application and system administrators. Identify application features and functions to determine if the application is designed to control the flow of information between interconnected systems. Identify: - rulesets, - data labels - policies - systems to determine if the application is designed to control the flow of data between interconnected systems. If the application does not provide data flow control capabilities, the requirement is not applicable. Access the system as a user with access rights allowing the creation of test data or use of existing test data. Create a test data set and label the data with a data label provided with or by the application (for example, a Personally Identifiable Information (PII) data label). Review the policy settings to determine where the PII labeled data is allowed and is not allowed. Using application features and functions, attempt to transmit the labeled data to an interconnected system that is prohibited by policy. Verify the flow control policy was enforced and the data was not transmitted. If the application does not enforce the approved authorizations for controlling data flow, this is a finding.
Configure the application to enforce data flow control in accordance with data flow control policies.
Identify the application user account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps –ef (UNIX)) or for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server). Determine the OS user groups in which each account is a member. List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary. If the OS rights exceed application operational requirements, this is a finding. If the application user account is a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX), this is a finding. Search the file system to determine if the application user or groups have ownership or permissions to any files or directories. Review the list of files and identify any that are outside the scope of the application. If there are such files outside the scope of the application, this is a finding. Check ownership and permissions; identify permissions beyond the minimum necessary to support the application. If there are instances of unnecessary ownership or permissions, this is a finding. The finding details should note the full path of the file(s) and the associated issue (i.e., outside scope, permissions improperly granted to user X, etc.).
Modify the application to limit access and prevent the disabling or circumvention of security safeguards.
Review the system documentation or interview the application representative and identify if the application utilizes an account in order to operate. Determine the OS user groups in which each application account is a member. List the user rights assigned to these users and groups using relevant OS commands and evaluate whether any of them provide admin rights or if they are unnecessary or excessive. If the application connects to a database, open an admin console to the database and view the database users, their roles and group rights. Locate the application user account used to access the database and examine the accounts privileges. This includes group privileges. If the application user account has excessive OS privileges such as being in the admin group, database privileges such as being in the DBA role, has the ability to create, drop, alter the database (not application database tables), or if the application user account has other excessive or undefined system privileges, this is a finding.
Configure the application accounts with minimalist privileges. Do not allow the application to operate with admin credentials.
Log on to the application as an administrative user. Identify functionality within the application that requires utilizing the admin role. Monitor application logs while performing privileged functions within the application. Perform administrative types of tasks such as adding or modifying user accounts, modifying application configuration, or managing encryption keys. Review logs for entries that indicate the administrative actions performed were logged. Ensure the specific action taken, date and time or event is recorded. If the execution of privileged functionality is not logged, this is a finding.
Configure the application to write log entries when privileged functions are executed. At a minimum, ensure the specific action taken, date and time of event are recorded.
All testing must be performed within a 15-minute window. Log on to the application with a test user account. Intentionally enter an incorrect user password or pin. Repeat 2 times within 15 minutes for a total of three failed attempts. Notification of a locked account may or may not be provided. Using the correct user password or pin, attempt to logon a 4th time. If the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.
Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window.
Interview the application administrator and identify the approved process for unlocking user accounts. The process may involve a manual or automated reset after the locked out user has identified themselves using standard user identification processes outlined in the vulnerability discussion. If the admin does not unlock the account following the approved process, and if the process does not have documented ISSO and ISSM approvals, this is a finding.
Create a standard approved process for unlocking locked application accounts which includes validating user identity prior to unlocking the account. Use that process when unlocking application user accounts.
If the application has no interactive user interface, this requirement is not applicable. Log on to the application as a user. Observe the screen and ensure the DoD-approved banner is displayed prior to obtaining access to the application. Refer to the vulnerability discussion for the approved text. If the only way to access the application is through the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, an additional banner is not required at the application level. If the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.
Configure the application to present the standard DoD-approved banner prior to granting access to the application.
If the application has no interactive user interface, this requirement is not applicable. If the user interface is only available via the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, this requirement is not applicable. Access the application and authenticate if necessary. Verify the banner is displayed and action must be taken to accept terms of use. If the banner is not displayed or no action must be taken to accept terms of use, this is a finding.
Configure the application to retain the standard DoD-approved banner until the user accepts the usage conditions prior to granting access to the application.
This requirement only applies to publicly accessible applications. If the application is not publicly accessible, this requirement is not applicable. Access the application and observe the screen to ensure the DoD-approved banner is displayed prior to obtaining full access to the application. Refer to the vulnerability discussion for the approved banner text. If the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.
Configure the application to present the standard DoD-approved banner prior to granting access to the application.
Review the application documentation and interview the application administrator. If the application does not provide a user interface, this requirement is not applicable. Logon to the application as a test user and verify successful authentication by creating test data, navigating the application functionality or otherwise utilizing the application. Note the date and time access was granted. Log out of the application. Re-authenticate to the application as the same user. Validate the last logon date and time is displayed in the user interface. If the date and time the user account was last granted access to the application is not displayed in the user interface, this is a finding.
Design and configure the application to display the date and time when the user was last successfully granted access to the application.
Review the application documentation, the design requirements if available and interview the application administrator. Identify application services or application commands that are formerly required and designed to provide non-repudiation services (e.g., digital signatures). If the application documentation specifically states that non-repudiation services for application users are not defined as part of the application design, this requirement is not applicable. Email is one example of an application specifically required to provide non-repudiation services for application users within the DoD. Interview the application administrators and have them describe which aspect of the application, if any, is required to provide digital signatures. Access the application as a test user or observe the application administrator as they demonstrate the applications signature capabilities. If the application is required to provide non-repudiation services and does not, or if the non-repudiation functionality fails on demonstration, this is a finding.
Configure the application to provide users with a non-repudiation function in the form of digital signatures when it is required by the organization or by the application design and architecture.
Review the application documentation and interview the application administrator. Determine if the application has the ability to compile audit records from multiple systems or system components. If the application does not provide log aggregation services, this requirement is not applicable. Identify the systems that comprise the application. Access each system comprising the application or a random sample of several application systems. Review the application logs and obtain date and time stamps for several random audit events. Record the information. Access the server providing the log aggregation. Access the application logs that have been written to the server and compare the samples obtained from the application systems to the aggregated logs. Ensure the dates and time stamps correlate with one another. If the log dates and times do not correlate when the logs are aggregated, this is a finding.
Configure the application to correlate time stamps when aggregating audit records.
Access the management interface for the application or configuration file and evaluate the log/audit management settings. Determine if the setting that enables session ID creation event auditing is activated. Create a new user session by logging in to the application. Review the logs to ensure the session creation event was recorded. If the application is not configured to log session ID creation events, or if no creation event was recorded, this is a finding. If a web-based application delegates session ID creation to an application server, this is not a finding. If the application generates session ID creation event logs by default, and that behavior cannot be disabled, this is not a finding.
Enable session ID creation event auditing.
Access the management interface for the application or configuration file and evaluate the log/audit management settings. Determine if the setting that enables session ID destruction event auditing is activated. Terminate a user session within the application and review the logs to ensure the session destruction event was recorded. If the application is not configured to log session ID destruction events, or if the application has no means to enable auditing of session ID destruction events, this is a finding. If a web-based application delegates session ID destruction to an application server, this is not a finding. If the application generates audit logs by default when session IDs are destroyed, and that behavior cannot be disabled, this is not a finding.
Enable session ID destruction event auditing.
Interview the system admin and review the application documentation. Identify any web pages or application functionality where a user's privileges or permissions will change. This is most likely to occur during the authentication stages. Evaluate the log/audit output by opening the log files and observing changes to the logs. Create a new user session by accessing the application. Review the logs and save the relevant session creation event recorded. Utilize the application pages that provide privilege escalation. Escalate privileges by authenticating as a privileged user. Review the logs and determine if new session information is created and being used. If a web-based application delegates session ID renewals to an application server, this is not a finding. If the application is not configured to log session ID renewal events this is a finding.
Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application.
Review the application logs and identify application logging format. Using the format of the log and the requisite search data as a guide to create your search, create search strings that could successfully identify the existence of passwords, session IDs, or other sensitive information such as SSN. Utilizing the UNIX grep-based search utility include the following examples which are meant to illustrate the purpose of the requirement. Password values are usually associated with usernames so searching for "username" in the provided log file will often assist in determining if password values are included. grep -i "username" < logfile.txt Search for social security numbers in the provided log file. grep -i "[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}" < logfile.txt Use regular expressions to aid in searching log files. All search syntax cannot be provided within the STIG, the reviewer must utilize their knowledge to create new search criteria based upon the log format used and the potentially sensitive data processed by the application. If the application logs sensitive data such as session IDs, application source code, encryption keys, or passwords, this is a finding.
Design or reconfigure the application to not write sensitive data to the logs.
Review the application documentation and interview the application administrator to identify log locations for application session activity. Open the log file that tracks user session activity. Access the application as a regular user and identify the user session within the log files. Identify the session timeout threshold defined by the application. Perform no action within the application in order to allow the session to timeout. Once the session timeout threshold has been exceeded, verify the session has been terminated due to the timeout event and review the logs again to ensure the session timeout event was recorded in the logs. If a web-based application delegates session timeout auditing to an application server, this is not a finding. If the session timeout event is not recorded in the logs, this is a finding.
Configure the application to record session timeout events in the logs.
Review the application logs. If the time the event occurred is not included as part of the event, this is a finding.
Configure the application to record the time the event occurred when recording the event.
Review the application documentation and interview the application administrator to identify log locations for application session activity. Open the log file that tracks user session activity. Access the application as a regular user and identify the user session within the log files. Perform several actions within the application in order to generate HTTP header traffic. Review the logs to ensure the HTTP header information is recorded in the logs. Header information logged will vary based upon the application and environment. Examples of headers include but are not limited to: User-Agent: Referer: X-Forwarded-For: Date: Expires: If HTTP headers are not logged, this is a finding.
Configure the web application and/or the web server to log HTTP headers.
Review the application documentation and interview the application administrator to identify where audit logs are stored. Review audit logs and determine if the IP address information of systems that connect to the application is kept in the logs. If connecting IP addresses are not seen in the logs, connect to the application remotely and review the logs to determine if the connection was logged. If the IP addresses of the systems that connect to the application are not recorded in the logs, this is a finding.
Configure the application or application server to log all connecting IP address information
Review and monitor the application logs. Connect to the application and perform application activity that is allowed by the user such as accessing data or running reports. Observe if the log includes an entry to indicate the user ID of the user that conducted the activity. If the user ID is not recorded along with the event in the event log, this is a finding.
Configure the application to record the user ID of the user responsible for the log event entry.
Review the application documentation and interview the application admin to identify application management interfaces and features. Access the application management utility and create a test user account or use the account of a regular unprivileged user who is cooperating with the testing. Access and open the auditing logs. Using an account with the appropriate privileges, grant the user a privilege they previously did not have. Attempt to grant privileges in a manner that will cause a failure event such as granting privileges to a non-existent user or attempting to grant privileges with an account that doesn't have the rights to do so. Review the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted. If the application does not log when successful and unsuccessful attempts to grant privilege occur, this is a finding.
Configure the application to audit successful and unsuccessful attempts to grant privileges.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege or permission settings to security objects within the application. This can be an application function that assigns privileges to an application object or data element. Authenticate to the application as a regular user. Using application functionality, attempt to access the security object within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure both the successful and unsuccessful access attempts are logged. If the application does not generate an audit record when successful and unsuccessful attempts to access security objects occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to access security objects.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege escalation or access to additional security levels within the application. This can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access. Authenticate to the application as a regular user. Using application functionality, attempt to access a different security level or domain within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure both the successful and unsuccessful access attempts are logged. If the application does not generate an audit record when successful and unsuccessful attempts to access security levels occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to access security levels.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify any data protections that are required. Identify any categories of data or classification of data. If the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable. Authenticate to the application as a regular user. Using application functionality, attempt to access data that has been assigned to a protected category. Perform two access attempts, one successful and one unsuccessful. Testing this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you. Review the log data and ensure both the successful and unsuccessful access attempts are logged. If the application does not generate an audit record when successful and unsuccessful attempts to access categories of information occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to access protected categories of information.
Review the application documentation and interview the application admin to identify application management interfaces and features. Access the application management utility and create a test user account or use the account of a regular privileged user who is cooperating with the testing. Access and open the auditing logs. Using an admin account, modify the privileges of a privileged user. Attempt to modify privileges in a manner that will cause a failure event such as attempting to modify a user’s privileges with an account that doesn't have the rights to do so. Review the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted. If the application does not log when successful and unsuccessful attempts to modify privileges occur, this is a finding.
Configure the application to audit successful and unsuccessful attempts to modify privileges.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege or permission settings to security objects within the application. This can be an application function that assigns privileges to an application object or data element. Authenticate to the application as a regular user. Using application functionality, attempt to modify the security object within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure the modification events both successful and unsuccessful are logged. If the application does not generate an audit record when successful and unsuccessful attempts to modify security objects occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to modify security objects.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege escalation or access to additional security levels within the application. This can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access. Authenticate to the application as a regular user. Using application functionality, attempt to modify the permissions of a different security level or domain within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure the modify events, both successful and unsuccessful, are logged. If the application does not generate an audit record when successful and unsuccessful attempts to modify the permissions regarding the security levels occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to modify security levels.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify any data protections that are required. Identify any categories of data or classification of data. If the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable. Authenticate to the application as a regular user. Using application functionality, attempt to modify data that has been assigned to a protected category. Perform two modification attempts, one successful and one unsuccessful. Testing this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you. Review the log data and ensure both the successful and unsuccessful modification attempts are logged. If the application does not generate an audit record when successful and unsuccessful attempts to modify categories of information occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to modify protected categories of information.
Review the application documentation and interview the application admin to identify application management interfaces and features. Access the application management utility and create a test user account or use the account of a regular privileged user who is cooperating with the testing. Access and open the auditing logs. Using an admin account, delete some or all of the privileges of a privileged user. Attempt to delete privileges in a manner that will cause a failure event such as attempting to delete a user’s privileges with an account that doesn't have the rights to do so. Review the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted. If the application does not log when successful and unsuccessful attempts to delete privileges occur, this is a finding.
Configure the application to audit successful and unsuccessful attempts to delete privileges.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege escalation or access to additional security levels within the application. This can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access. Authenticate to the application as a regular user. Using application functionality, attempt to delete permissions of a different security level or domain within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure the deletion events, both successful and unsuccessful are logged. If the application does not generate an audit record when successful and unsuccessful attempts to delete permissions regarding the security levels occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to delete security levels.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify application functionality that provides privilege or permission settings to database security objects within the application. This can be an application function that assigns privileges to an application object or data element. Authenticate to the application as a regular user. Using application functionality, attempt to delete the database security object within the application. Perform two attempts, one successfully and one unsuccessfully. Review the log data and ensure the deletion events, both successful and unsuccessful, are logged. If the application does not generate an audit record when successful and unsuccessful attempts to delete database security objects occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to delete database security objects.
Review the application documentation and interview the application administrator. Identify where the application logs are stored. Identify any data protections that are required. Identify any categories of data or classification of data. If the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable. Authenticate to the application as a regular user. Using application functionality, attempt to delete data that has been assigned to a protected category. Perform two modification attempts, one successful and one unsuccessful. Testing this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you. Review the log data and ensure both the successful and unsuccessful deletion attempts are logged. If the application does not generate an audit record when successful and unsuccessful attempts to delete categories of information occur, this is a finding.
Configure the application to create an audit record for both successful and unsuccessful attempts to delete protected categories of information.
Review and monitor the application logs. Authenticate to the application and observe if the log includes an entry to indicate the user’s authentication was successful. Terminate the user session by logging out. Reauthenticate using invalid user credentials and observe if the log includes an entry to indicate the authentication was unsuccessful. If successful and unsuccessful logon events are not recorded in the logs, this is a finding.
Configure the application or application server to write a log entry when successful and unsuccessful logon events occur.
Review and monitor the application logs. Authenticate to the application as a privileged user and observe if the log includes an entry to indicate the user’s authentication was successful. Perform actions as an admin or other privileged user such as modifying the logging verbosity, or starting or stopping an application service, or terminating a test user session. If log events that correspond with the actions performed are not recorded in the logs, this is a finding.
Configure the application to write a log entry when privileged activities or other system-level events occur.
Review and monitor the application logs. Initiate a user session and observe if the log includes a time stamp showing the start of the session. Terminate the user session and observe if the log includes a time stamp showing the end of the session. If the start and the end time of the session are not recorded in the logs, this is a finding.
Configure the application or application server to record the start and end time of user session activity.
Review the application documentation and interview the application administrator to identify log locations. Access the application logs. Review the logs and identify if the application is logging both successful and unsuccessful access to application objects such as files, folders, processes, or application modules and sub components, or systems. If the application does not log application object access, this is a finding.
Configure the application to log successful and unsuccessful access to application objects.
Review the application documentation and interview the application administrator. Identify if the application implements a direct access feature or function that allows users to directly access the underlying OS. Direct access includes but is not limited to: executing OS commands, navigating the file system, manipulating system resources such as print queues, or reading files hosted on the OS that are not specifically shared or made available on the website. If the application does not provide direct access to the system, this requirement is not applicable. Access the application logs. Access the application as a user or test user with appropriate permissions and attempt to execute application features and functions that provide direct access to the system. Review the logs and ensure the actions executed were logged. Log information must include the user responsible for executing the action, the action executed, and the result of the action. If the application does not log all direct access to the system, this is a finding.
Configure the application to log all direct access to the system.
Examine the application documentation or interview the application representative to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system such as Active Directory for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable. Identify the location of the audit logs and review the end of the logs. Access the user account management functionality. Create an application test account and then review the log to ensure a log record that documents the event is created. Modify the test account and then review the log to ensure a log record that documents the event is created. Disable the test account and then review the log to ensure a log record that documents the event is created. Terminate/remove the test account and then review the log to ensure a log record that documents the event is created. If log events are not created that document all of these events, this is a finding. If some but not all of the aforementioned events are documented in the logs, this is a finding. Findings should document which of the events was not logged.
Configure the application to log user account creation, modification, disabling, and termination events.
Examine the application design documentation and interview the application administrator to identify application logging behavior. If the application is writing to an existing log or log file: Open and monitor the application log. Start the application service and view the log entries. Log entries indicating the application is starting should commence as soon as the application starts. Determine if the log events correlate with the time the application was started and if event log entries include an application start up sequence of events. If the application writes events to a new log on startup: Identify location logs are written to, start the application and then identify and access the new log. Determine if the log events correlate with the time the application was started and if event log entries include an application start up sequence of events. If the application does not begin logging events upon start up, this is a finding.
Configure the application to begin logging application events as soon as the application starts up.
Review and monitor the application and system logs. If an application shutdown event is not recorded in the logs, either initiate a shutdown event and review the logs after reestablishing access or request backup copies of the application or system logs that indicate shutdown events are being recorded. Alternatively, check for a setting within the application that controls application logging events and determine if application shutdown logging is configured. If the application is not recording application shutdown events in either the application or system log, or if the application is not configured to record shutdown events, this is a finding.
Configure the application or application server to record application shutdown events in the event logs.
If the application design documentation indicates the application does not initiate connections to remote systems this requirement is not applicable. Network connections to systems used for support services such as DNS, AD, or LDAP may be stored in the system logs. These connections are applicable. Identify log source based upon application architecture, design documents and input from application admin. Review and monitor the application or system logs. Connect to the application and utilize the application functionality that initiates connections to a destination system. If the application routinely connects to remote system on a regular basis you may simply allow the application to operate in the background while the logs are observed. Observe the log activity and determine if the log includes an entry to indicate the IP address of the destination system. If the IP address of the remote system is not recorded along with the event in the event log, this is a finding.
Configure the application to record the destination IP address of the remote system.
Review and monitor the application logs. When accessing data, the logs are most likely database logs. If the application design documents include specific data elements that require protection, ensure user access to those data elements are logged. Utilize the application as a regular user and operate the application so as to access data elements contained within the application. This includes using the application user interface to browse through data elements, query/search data elements and using report generation capability if it exists. Observe and determine if the application log includes an entry to indicate the user’s access to the data was recorded. If successful access to application data elements is not recorded in the logs, this is a finding.
Identify the specific data elements requiring protection and audit access to the data.
Review and monitor the application logs. When modifying data, the logs are most likely database logs. If the application design documents include specific data elements that require protection, ensure any changes to those specific data elements are logged. Otherwise, a random check is sufficient. If the application uses a database configured to use Transaction SQL logging this is not a finding if the application admin can demonstrate a process for reviewing the transaction log for data changes. The process must include using the transaction log and some form of query capability to identify users and the data they changed within the application and vice versa. Utilize the application as a regular user and operate the application so as to modify a data element contained within the application. Observe and determine if the application log includes an entry to indicate the users data change event was recorded. If successful changes/modifications to application data elements are not recorded in the logs, this is a finding.
Configure the application to log all changes to application data.
Access the application logs and review the log entries for date and time. Each event written into the log must have a corresponding date and time stamp associated with it. If the audit logs do not have a corresponding date and time associated with each event, this is a finding.
Configure the application or application server to include the date and the time of the event in the audit logs.
Review application administration and/or design documents. Identify key aspects of application architecture objects and components, e.g., Web Server, Application server, Database server. Interview the application administrator and identify the log locations. Access the application logs and review the log entries for events that indicate the application is auditing the internal components, objects, or functions of the application. Confirm the event logs provide information as to which component, feature, or functionality of the application triggered the event. Examples of the types of events to look for are as follows: - Application and Protocol events. e.g., Application loads or unloads and Protocol use. - Data Access events. e.g., Database connections. Events could include reference to database library or executable initiating connectivity: - Middleware events. e.g., Source code initiating calls or being invoked. - Name of application modules being loaded or unloaded. - Library loads and unloads. - Application deployment activity. Events written into the log must be able to be traced back to the originating component, feature or function name, service name, application name, library name etcetera in order to establish which aspect of the application triggered the event. If the audit logs do not contain enough data in the logs to establish which component, feature or functionality of the application triggered the event, this is a finding.
Configure the application to log which component, feature or functionality of the application triggered the event.
If the application is logging locally and does not utilize a centralized logging solution, this requirement is not applicable. Review system documentation and identify log location. Access the application logs. Review the application logs. Ensure the application is uniquely identified either within the logs themselves or via log storage mechanisms. Ensure the hosts or client names hosting the application are also identified. Either hostname or IP address is acceptable. If the application name and the hosts or client names are not identified, this is a finding.
Configure the application logs or the centralized log storage facility so the application name and the hosts hosting the application are uniquely identified in the logs.
Review system and application documentation to identify application operation and function. Access the application logs and review the logs to determine if the results of application operations are logged. Successful application events are expected to far outnumber errors. Therefore, success events may be implied by default and not specified in the logs if this behavior is documented. The outcome will be a log record that displays the application event/operation that occurred followed by the result of the operation such as "ERROR", "FAILURE", "SUCCESS" or "PASS". Operation outcomes may also be indicated by numeric code where a "1" might indicate success and a "0" may indicate operation failure. If the application does not produce audit records that contain information regarding the results of application operations, this is a finding.
Configure the application to include the outcome of application functions or events.
Review system documentation and discuss application operation with application administrator. Identify application processes and application users. Identify application components, e.g., application features framework and function. Identify server components, such as web server, database server. Review application logs. Ensure the application event logs include an identifier or identifiers that will allow an investigator to determine the user or the application process responsible for the application event. If the event logs do not include the appropriate identifier or identifiers, this is a finding.
Configure the application to log the identity of the user and/or the process associated with the event.
Review application documentation and interview application administrator. Identify audit log locations and review audit logs. Access the system as a privileged user and execute privileged commands. Review the application logs and ensure that the logs contain all details of the actions performed. If a privileged command was typed within the application that command text must be included in the logs. Authentication information provided as part of the text must NOT be logged, just the commands. If an action was performed, such as activating a check box, that action must be logged. Review group account users, review logs to determine if the individual users of group accounts are identified in the logs. If the application does not log the full text recording of privileged commands or if the application does not identify and log the individuals associated with group accounts, this is a finding.
Configure the application to log the full text recording of privileged commands or the individual identities of group users.
Review the application documentation and interview the application administrator. Have the application administrator provide configuration settings that demonstrate transaction logging is enabled. Review configuration settings for the location of transaction specific logs and verify transaction logs exist and the log records access and changes to the data. If the application is not configured to utilize transaction logging, this is a finding.
Configure the application database to utilize transactional logging.
Review the application documentation and interview the application administrator to determine the logging architecture of the application. If the application is configured to log application event entries to a centralized, enterprise based logging solution that meets this requirement, the requirement is not applicable. Review the application components and the log management capabilities of the application. Verify the application log management interface includes the ability to centrally manage the configuration of what is captured in the logs of all application components. If the application does not provide the ability to centrally manage the content captured in the audit logs, this is a finding.
Configure the application to utilize a centralized log management system that provides the capability to configure the content of audit records.
Review application documentation and interview application administrator. Identify log functionality and locations of log files. Obtain risk acceptance documentation and task scheduling information. If the application is configured to utilize a centralized logging solution, this requirement is not applicable. Evaluate log management processes and determine if there are automated tasks that move the logs off of the system hosting the application. Verify automated tasks are performed on an ISSO approved schedule (hourly, daily etc.). Automation can be via scripting, log management oriented tools or other automated means. Review risk acceptance documentation for not utilizing a centralized logging solution. If the logs are not automatically moved off the system as per approved schedule, or if there is no formal risk acceptance documentation, this is a finding.
Configure the application to off-load audit records onto a different system as per approved schedule.
Review application documentation and interview application administrator. Evaluate application log management processes and determine if the system is configured to utilize a centralized log management system for the hosting and management of application audit logs. If the system is not configured to write the application logs to the centralized log management repository in an expeditious manner, this is a finding.
Configure the application to utilize a centralized log repository and ensure the logs are off-loaded from the application system as quickly as possible.
Review system documentation and interview application administrator for details regarding logging configuration. If the application utilizes a centralized logging system that provides storage capacity alarming, this requirement is not applicable. Identify application alarming capability relating to storage capacity alarming for the log repository. Coordinate with the appropriate personnel regarding the generation of test alarms. Review log alarm settings and ensure audit log storage capacity alarming is enabled and set to alarm when the storage threshold exceeds 75% of disk storage capacity or the capacity value the SA and ISSO have determined will provide adequate time to plan for capacity expansion. Ensure the alarm will be sent to the ISSO and the application administrator when the utilization threshold is exceeded by changing the threshold settings to below the current disk space utilization. An alarm should be triggered at that point and forwarded to the ISSO and the SA/application admin. If the application is not configured to send an alarm when storage volume exceeds 75% of disc capacity or if the designated alarm recipients did not receive an alarm when the test was conducted, this is a finding.
Configure the application to send an immediate alarm to the application admin/SA and the ISSO when the allocated log storage capacity exceeds 75% of usage or exceeds the capacity value the SA and ISSO have determined will provide adequate time to plan for capacity expansion.
Review system documentation and interview application administrator for details regarding application security categorization and logging configuration. If the application utilizes a centralized logging system that provides the real-time alarms, this requirement is not applicable. Review application log alert configuration. Identify audit failure events and associated alarming configuration. If the application is categorized as having a moderate or high impact and is not configured to provide a real-time alert that indicates the audit system has failed or is failing, this is a finding.
Configure the log alerts to send an alarm when the audit system is in danger of failing or has failed. Configure the log alerts to be immediately sent to the application admin/SA and ISSO.
Review system documentation and interview application administrator for details regarding logging configuration. If the application utilizes a centralized logging system that provides the audit processing failure alarms, this requirement is not applicable. Identify application alarming capability regarding audit processing failure events. Verify the application is configured to alarm when the auditing system fails. Example alarm events include but are not limited to: hardware failure events failures to capture audit record events audit storage errors If the application is not configured to alarm on alerts that indicate the audit system has failed or is failing, this is a finding.
Configure the application to send an alarm in the event the audit system has failed or is failing.
Review system documentation and interview application administrator for details regarding logging configuration. Identify application shut down capability regarding audit processing failure events. Locate and verify application logging settings that specify the application will halt processing on detected audit failure. If ISSO approval to continue operating and not shut down the application upon an audit failure exists and is documented, validate the application is configured as follows: If logging locally and the failure is attributed to a lack of disk space: Ensure the application is configured to overwrite the oldest logs first so as to maintain the most up to date audit events in the event of an audit failure. When logging centrally: Ensure the application is configured to locally spool/queue audit events in the event an audit failure is detected with the centralized system. If the application does not shut down processing when an audit failure is detected, or if the application does not take steps needed to ensure audit events are not lost due to audit failure, this is a finding.
Configure the application to cease processing if the audit system fails or configure the application to continue logging in a manner that compensates for the audit failure.
Review system documentation and interview application administrator for details regarding application architecture and logging configuration. Identify the application components, the logs that are associated with the components and the locations of the logs. If the application utilizes a centralized logging system that provides the capability to review the log files from one central location, this requirement is not applicable. Access the application's log management utility and review the log files. Ensure all of the applications logs are reviewable from within the centralized log management function and access to other systems in order to review application logs are not required. If all of the application logs are not reviewable from a central location, this is a finding.
Configure the application so all of the applications logs are available for review from one centralized location.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components as well as the locations of the logs. If the application utilizes a centralized logging system that provides the capability to filter log events based upon the following events, this requirement is not applicable. Review the application log management utility. Ensure the application provides the ability to filter on audit events based upon the following minimum criteria: Users: e.g., specific users or groups Event types: Event dates and time: System resources involved: e.g., application components or modules. IP addresses: Information objects accessed: Event level categories: e.g., high, critical, warning, error Key words: e.g., a specific search string Additional details may be logged as needed or prescribed by operational requirements. If the application does not provide the ability to filter audit events, this is a finding.
Configure the application filters to search event logs based on defined criteria.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. If the application utilizes a centralized logging system that provides the capability to generate reports based on filtered log events, this requirement is not applicable. Using the relevant application features for generating reports and/or searching application data, (this is usually executed directly within a logging utility or within a reports feature or function) configure a filter based on any of the security criteria provided below. Alternatively, you can use security-oriented criteria provided by the application administrator. Once the data filter has been selected, filter the audit event data so only filtered data is displayed and generate the report. The report can be any combination of screen-based, soft copy, or a printed report. Criteria: Users: e.g., specific users or groups Event types: Event dates and time: System resources involved: e.g., application components or modules. IP addresses: Information objects accessed: Event level categories: e.g., high, critical, warning, error If the application does not provide on demand reports based on the filtered audit event data, this is a finding.
Configure the application to generate soft copy, hard copy and/or screen-based reports based on the selected filtered event data.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. If the application utilizes a centralized logging system that provides the capability to generate reports based on filtered log events, this requirement is not applicable. Using the relevant application features for generating reports and/or searching application data, (this is usually executed directly within a logging utility or within a reports feature or function) configure a filter based on any of the security criteria provided below. Alternatively, you can use security-oriented criteria provided by the application administrator. Once the data filter has been selected, filter the audit event data so only filtered data is displayed and generate the report. The report can be any combination of screen-based, soft copy, or a printed report. Criteria: Users: e.g., specific users or groups Event types: Event dates and time: System resources involved: e.g., application components or modules. IP addresses: Information objects accessed: Event level categories: e.g., high, critical, warning, error If the application does not provide an audit reduction capability that supports on-demand reports based on the filtered audit event data, this is a finding.
Configure the application to log to a centralized auditing capability that provides on-demand reports based on the filtered audit event data or design or configure the application to meet the requirement.
Review application documentation and interview application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application uses a centralized logging solution that performs the audit reduction (event filtering) functions, the requirement is not applicable. Examine the log files; take note of dates and times of events such as logon events. Note: dates and times as well as the original content and any unique record identifiers. Record the identifying information as well as the dates and times and content of the audit records. Apply filters to reduce the amount of audit records displayed to just the logon events for the day. Review the records and ensure the application provides the ability to filter on audit events. If the application does not provide an audit reduction (event filtering) capability, this is a finding.
Configure the application to provide an audit reduction capability that supports forensic investigations.
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reporting. If the application uses a centralized logging solution that provides immediate, customizable audit review and analysis functions, the requirement is not applicable. Create an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged. Review the report and ensure the data in the report coincides with event filters used to create the report. If the application does not provide an immediate, ad-hoc audit review and analysis capability, this is a finding.
Design or configure the application to provide an immediate audit review capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting.
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application uses a centralized logging solution that provides immediate, customizable, ad-hoc report generation functions, the requirement is not applicable. Create an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged. Review the report and ensure the data in the report coincides with event filters used to create the report. If the application does not provide customizable, immediate, ad-hoc audit log reporting, this is a finding.
Design or configure the application to provide an on-demand report generation capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting.
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application uses a centralized logging solution that performs the report generation functions, the requirement is not applicable. Create an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged. Review the report and ensure the data in the report coincides with event filters used to create the report. If the application does not have a report generation capability that supports after the fact security investigations, this is a finding.
Design or configure the application to provide after-the-fact report generation capability or utilize a centralized utility designed for the purpose of log management and reporting.
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application uses a centralized logging solution that performs the audit reduction (event filtering) functions, the requirement is not applicable. Examine the log files; take note of dates and times of events such as logon events. Note: dates and times as well as the original content and any unique record identifiers. Record the identifying information as well as the dates and times and content of the audit records. Apply filters to reduce the amount of audit records displayed to just the logon events for the day. Review the records and ensure nothing in the records has changed. Once validated, clear the filter and review the records again to validate nothing changed within the audit record itself. If the application of event filters modifies the original log records, this is a finding.
Configure the application to not alter original log content or time ordering of audit records.
Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering). Access the application with user rights sufficient to read and filter audit records. Navigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering). If the application does not provide a report generation capability, the requirement is not applicable. Examine the log files; take note of dates and times of events such as logon events. Note: dates and times as well as the original content and any unique record identifiers. Record the identifying information as well as the dates and times and content of the audit records. Apply filters to reduce the amount of audit records displayed to just the logon events for the day. Review the records and ensure nothing in the records has changed. Once validated, clear the filter and review the records again to validate nothing changed within the audit record itself. If the application of event filters modifies the original log records, this is a finding.
Configure and design the application to not modify source logs when filtering events.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. Ensure the time written into the logs coincides with the OS timeclock. Access random audit records and review the most recent logs. Access the system OS hosting the application and use the related OS commands to determine the time of the system. Perform an action in the application that causes a log event to be written and review the log to ensure the system times and the application log times correlate; compensating for any time delays that may have occurred between running the OS time command and running the application action. If the application doesn't use the internal system clocks to generate time stamps for the audit event logs, this is a finding.
Configure the application to use the hosting systems internal clock for audit record generation.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. If the application utilizes the underlying OS system clock, and the system clock is mapped to UTC or GMT, this is not a finding. Identify where clock settings are configured within the application. Access the configuration settings and determine if the application is configured to set the time stamps for audit records according to UTC or GMT (e.g., East coast standard time is represented as GMT -5, east coast daylight savings time is represented as GMT-4). If the application is not configured to map to UTC or GMT, this is a finding.
Configure the application to use the underlying system clock that maps to relevant UTC or GMT timezone.
Review the system documentation and interview the application administrator to determine where application audit logs are written and how time stamps are recorded. If the application utilizes the underlying OS for time stamping and time synchronization when writing the audit logs, this requirement is not applicable. Access and review log files over a period of at least 10 minutes; compare time stamps written in the application log to the system clock to ensure time is synchronized to within 1 second of precision. If the application audit log time stamps differ from the OS time source by more than one second, this is a finding.
Configure the application to leverage the underlying operating system as the time source when recording time stamps or design the application to ensure granularity of 1 second as the minimum degree of precision.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. Identify the roles and users allowed to access audit information and the circumstances in which they are allowed to read or otherwise access the data. Identify the methods used to manage audit records and audit components. Typical methods are file system-based, via an application user interface via database access or a combination thereof. For file system access: Review file system permissions to ensure the audit logs and the application audit components such as executable files and libraries are protected by adequate file permission restrictions. Permissions must be configured to limit access to only those who have been identified and whose access has been approved. If file permissions are configured to allow unapproved access, this is a finding. For application-oriented and database access: Identify the application module that provides access to audit settings and audit data. Attempt to access audit configuration features and logs by using a regular non-privileged application or database user account. If a non-privileged user account is allowed to access the audit data or the audit configuration settings, this is a finding.
Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish permissions that control access to the audit logs and audit configuration settings.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. Identify the roles and users allowed to modify audit information and the circumstances in which they are allowed to modify the data. Identify the methods used to manage audit records and audit components. Typical methods are file system-based, via an application user interface via database access or a combination thereof. For file system access: Review file system permissions to ensure the audit logs and the application audit components such as executable files and libraries are protected by adequate file permission restrictions. Permissions must be configured to limit write/modify access to only those who have been identified and whose access has been approved. If file permissions are configured to allow unapproved write/modify access, this is a finding. For application oriented and database access: Identify the application module that provides access to audit settings and audit data. Attempt to access audit configuration features and logs by using a regular non-privileged application or database user account. Once access has been established, attempt to modify an audit record and attempt to modify the audit settings. If a non-privileged user account is allowed to modify the audit data or the audit configuration settings, this is a finding.
Configure the application to protect audit data from unauthorized modification and changes. Limit users to roles that are assigned the rights to edit audit data and establish permissions that control access to the audit logs and audit configuration settings.
Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration. Identify the application components and the logs associated with the components. Identify the roles and users allowed to delete audit information and the circumstances in which they are allowed to delete the data. Identify the methods used to manage audit records and audit components. Typical methods are file system-based, via an application user interface via database access or a combination thereof. For file system access: Review file system permissions to ensure the audit logs and the application audit components such as executable files and libraries are protected by adequate file permission restrictions. Permissions must be configured to limit deletions to only those who have been identified and whose rights to delete audit data and audit configurations has been approved. If file permissions are configured to allow unapproved deletions of audit settings and data, this is a finding. For application oriented and database access: Identify the application module that provides access to audit settings and audit data. Attempt to access audit configuration features and logs by using a regular non-privileged application or database user account. Once access has been established, attempt to delete a test audit record and attempt to delete a test audit settings. If a non-privileged user account is allowed to delete the audit data or the audit configuration settings, this is a finding.
Configure the application to protect audit data from unauthorized deletion. Limit users to roles that are assigned the rights to delete audit data and establish permissions that control access to the audit logs and audit configuration settings.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods, and audit tools. Identify the application audit tools and their locations. If the application does not provide a distinct audit tool oriented functionality that is a separate tool with an ability to view and manipulate log data, this requirement is not applicable. Identify the methods used for implementing the audit tool functionality within the application. Typical methods are file system-based, e.g., a separate executable file that when invoked provides audit functionality, an application user interface to an audit module, or a combination thereof. For file system access: Review file system permissions to ensure the application audit components such as executable files and libraries are protected by adequate file permission restrictions. Permissions must be configured to limit access to only those who have been identified and whose access has been approved. If file permissions are configured to allow unapproved access, this is a finding. For circumstances where audit tools are accessed via application sub-modules or menus: Identify the application module that provides access to audit settings and audit data. Attempt to access audit configuration features and logs by using a regular non-privileged application or database user account. If a non-privileged user account is allowed to access the audit data or the audit configuration settings, this is a finding.
Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods, and provided audit tools. Identify the application audit tools and their locations. If the application does not provide a distinct audit tool oriented functionality that is a separate tool with an ability to view and manipulate log data, this requirement is not applicable. Identify the methods used for implementing an audit tool functionality that is separate from the application. Typical methods are file-oriented in nature, e.g., the application includes a separate executable file or library that when invoked allows users to view and manipulate logs. Identify the users with the rights to modify the audit tools. This capability will usually be reserved for admin staff. Review file system permissions to ensure the application audit components such as executable files and libraries are protected by adequate file permission restrictions. File permissions must be configured to limit access to only those users who have been identified and whose access has been approved. If file permissions are configured so as to allow unapproved modifications to the audit tools, this is a finding.
Configure the application to protect audit tools from unauthorized modifications. Limit users to roles that are assigned the rights to edit or update audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods and provided audit tools. Identify the application audit tools and their locations. If the application does not provide a distinct audit tool oriented functionality that is a separate tool with an ability to view and manipulate log data, this requirement is not applicable. Identify the methods used for implementing an audit tool functionality that is separate from the application. Typical methods are file-oriented in nature, e.g., the application includes a separate executable file or library that when invoked allows users to view and manipulate logs. Identify the users with the rights to delete the audit tools. This capability is normally reserved for admin staff. Review file system permissions to ensure the application audit components such as executable files and libraries are protected by adequate file permission restrictions. File permissions must be configured to limit access to only those users who have been identified and whose access has been approved. If file permissions are configured to allow unapproved deletions of the audit tools, this is a finding.
Configure the application to protect audit tools from unauthorized deletions. Limit users to roles that are assigned the rights to edit or delete audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings.
Review the application documentation and interview the application administrator. Identify log functionality and locations of log files. If the application does not include a built-in backup capability for backing up its own audit records, this requirement is not applicable. Access the management interface for configuring application audit logs and review the backup settings. If the application backup settings are not configured to backup application audit records every 7 days, this is a finding.
Configure application backup settings to backup application audit logs every 7 days.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods, and provided audit tools. Identify the location of the application audit information. If the application is configured to utilize a centralized audit log solution that uses cryptographic methods that meet this requirement such as creating cryptographic hash values or message digests that can be used to validate integrity of audit files, the requirement is not applicable. Ask application administrator to demonstrate the cryptographic mechanisms used to protect the integrity of audit data. Verify when application logs are stored on the file system, a process that includes the creation of an integrity check of the audit file being stored is utilized. This integrity check can be the creation of a checksum, message digest or other one-way cryptographic hash of the audit file that is created. If an integrity check is not created to protect the integrity of the audit information, this is a finding.
Configure the application to create an integrity check consisting of a cryptographic hash or one-way digest that can be used to establish the integrity when storing log files.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods, and provided audit tools. Identify the location of the application audit tools. Separate audit tools will be file-oriented in nature, e.g., the application includes a separate executable file or library that when invoked allows users to view and manipulate logs. If the application does not provide a separate tool in the form of a file which provides an ability to view and manipulate application log data, query data, or generate reports, this requirement is not applicable. If the system hosting the application has a separate file monitoring utility installed that is configured to identify changes to audit tools and alarm on changes to audit tools, this is not applicable. Ask application administrator to demonstrate the cryptographic hashing mechanisms used to create the one way hashes that can be used to validate the integrity of audit tools. For example, "shasum /path/to/file > checksum.filename". Ask the application administrator to provide the list of checksum values and the associated file names of the audit tools. If a cryptographic checksum or hash value of the audit tool file is not created for future reference, this is a finding.
Cryptographically hash the audit tool files used by the application. Store and protect the generated hash values for future reference.
Review the system documentation and interview the application administrator for details regarding application architecture, audit methods, and provided audit tools. Identify the location of the application audit tools. Separate audit tools will be file-oriented in nature, e.g., the application includes a separate executable file or library that when invoked allows users to view and manipulate logs. If the application does not provide a separate tool in the form of a file which provides an ability to view and manipulate application log data, query data or generate reports, this requirement is not applicable. If the system hosting the application has a separate file monitoring utility installed that is configured to identify changes to audit tools and alarm on changes to audit tools, this is not applicable. Ask the application administrator to provide their process for periodically checking the list of checksum values against the associated file names of the audit tools to ensure none of the audit tools have been tampered with. If a cryptographic checksum or hash value of the audit tool file is not periodically checked to ensure the integrity of audit tools, this is a finding.
Establish a process to periodically check the audit tool cryptographic hashes to ensure the audit tools have not been tampered with.
Review the application documentation and interview the application administrator to determine the capabilities of the application as it relates to software installation or product function extension. Identify any software configuration change capabilities which are allowed by design and incorporated into the user interface. An example is utilizing a known software repository of tested and approved extensions, plugins or modules which can be used by application users to extend application features or functions. If the application does not provide the ability to install software components, modules, plugins, or extensions, the requirement is not applicable. Access the application user interface as a regular user, navigate to the application screen that provides the software installation function and attempt to install software components, modules, extensions, or plugins. If the application utilizes an approved repository of approved software that has been tested and approved for all application users to install, this is not a finding. If the application allows regular users to install untested or unapproved software components, extensions, modules, or plugins without explicit authorization, this is a finding.
Configure the application to prohibit user installation of software without explicit permission.
Review the application documentation and configuration settings. Access the application configuration settings interface as a regular non-privileged user. Attempt to make configuration changes to the application. If configuration changes can be made by regular non-privileged users, this is a finding. Review the locations of all configuration files used by the application. Examine the file permission settings and determine who has access to the configuration files. If access permissions to configuration files are not restricted to application administrators, this is a finding.
Configure the application to limit access to configuration settings to only authorized users.
Review the application documentation and configuration settings. Access the application configuration settings interface as a privileged user. Make configuration changes to the application. Review the application audit logs and ensure a log entry is made identifying the privileged user account that was used to make the changes. If application configuration is maintained by using a text editor to modify a configuration file, modify the configuration file with a text editor. Review the system logs and ensure a log entry is made for the file modification that identifies the user that was used to make the changes. If the user account is not logged, or is a group account such as "root", this is a finding. If the user account used to make the changes is not logged in the audit records, this is a finding.
Configure the application to create log entries that can be used to identify the user accounts that make application configuration changes.
Review the application documentation and interview the application administrator to determine the process and commands used for patching the application. Access application configuration settings. Review commands and procedures used to patch the application and ensure a capability exists to prevent unsigned patches from being applied. If the application is not capable of preventing installation of patches and packages that are not signed, or if the vendor does not provide a cryptographic hash value that can be manually checked prior to installation, this is a finding.
Design and configure the application to have the capability to prevent unsigned patches and packages from being installed. Provide a cryptographic hash value that can be verified by a system administrator prior to installation.
Review the application documentation and interview the application administrator to identify the application architecture. Identify application folders where application libraries are stored. Review permissions of application folders and library files contained with the folders to ensure file permissions restrict access to authorized users or processes. Access application configuration settings. Examine settings for capability to update software libraries or extend application functionality via the application. Review user roles and access rights within the application to determine if access to this capability is restricted to authorized users. If file restrictions do not limit write access to library files and if the application does not restrict access to library update functionality, this is a finding.
Configure the application OS file permissions to restrict access to software libraries and configure the application to restrict user access regarding software library update functionality to only authorized users or processes.
Review the application documentation to understand application architecture. Interview the application administrator, obtain and review their application vulnerability scanning process. Request the latest scan results including scan configuration settings. Review scan configurations and ensure coverage of all application architecture has been tested. The proper scanning tool or combination of tools must be utilized in order to ensure the full range of application features and functionality is tested. For example, if the application includes a web interface and a SQL database, then ensure test results for web and SQL vulnerabilities are provided. Although web and SQL applications are included as examples and are the prevalent types of applications, this requirement is not intended to be limited to just the aforementioned application architectures. Ensure test results are provided from all testing tools employed during vulnerability testing. If high risk security vulnerabilities are identified in the scan results, request subsequent test results that indicate the issues have been fixed or mitigated. If the high risk issues identified in the report have not been fixed or mitigated to a level accepted by the ISSO and the ISSM, or if the application administrator cannot produce vulnerability security testing results that cover the range of application functionality, this is a finding.
Configure the application vulnerability scanners to test all components of the application, conduct vulnerability scans on a regular basis and remediate identified issues. Retain scan results for compliance verification.
Review the application documentation and interview the application administrator to determine if policies, rules, or restrictions exist regarding application usage or terms which authorize the conditions of application use. If the policy, terms, or conditions state there are no usage restrictions, this requirement is not applicable. Interview the application administrator, review policy, terms, and conditions documents to determine what the terms and conditions of application usage are. Have the application administrator demonstrate how the program execution is restricted in accordance with the policy terms and conditions. Typical methods include but are not limited to the use of Windows Group Policy, AppLocker, Software Restriction Policies, Java Security Manager, and Role-Based Access Control (RBAC). If application requirements or policy documents specify application execution restriction requirements and the execution of the application or its subcomponents are not restricted in accordance with requirements or policy, this is a finding.
Restrict application execution in accordance with the policy, terms, and conditions specified.
If the application is not a configuration management or similar type of application designed to manage system processes and configurations, this requirement is not applicable. Review the application documentation and interview the application administrator to identify if application whitelisting specifying which applications or application subcomponents are allowed to execute is in use. Check for the existence of policy settings or policy files that can be configured to restrict application execution. Have the application administrator demonstrate how the program execution is restricted. Look for a deny-all, permit-by-exception policy of restriction. Some methods for restricting execution include but are not limited to the use of custom capabilities built into the application or leveraging of Windows Group Policy, AppLocker, Software Restriction Policies, Java Security Manager or Role-Based Access Controls (RBAC). If application whitelisting is not utilized or does not follow a deny-all, permit-by-exception (whitelist) policy, this is a finding.
Configure the application to utilize a deny-all, permit-by-exception policy when allowing the execution of authorized software.
Review the application guidance, application requirements documentation, and interview the application administrator. Identify the application's operational requirements and what services the application is intended to provide users. Review the overall application features and functionality via the user interface. Review and identify installed application software modules via configuration settings. Using the relevant OS commands, identify services running on the system and have the application administrator identify the services related to the application. If the application is operating with extraneous capabilities that have not been defined as required in order to meet mission objectives, this is a finding.
Disable application extraneous application functionality that is not required in order to fulfill the application's mission.
Review the application documentation and configuration. Interview the application administrator. Identify the network ports and protocols that are utilized by the application. Using a combination of relevant OS commands and application configuration utilities, identify the TCP/IP port numbers the application is configured to utilize and is utilizing. Review the PPSM Category Assurance List (CAL) at: https://cyber.mil/ppsm/cal/ Verify the ports used by the application are approved by the PPSM CAL. If the ports are not approved by the PPSM CAL, this is a finding.
Configure the application to utilize application ports approved by the PPSM CAL.
Review the application guidance and interview the application administrator. Identify the application user roles. Identify the methods and manner in which an application user is allowed to escalate their privileges or change their role. Create or utilize an account that has 2 roles within the application, both should be non-administrator. Example: User role and Report Creator role. Authenticate to the application as the user in the User role. Access the application functionality that allows the user to change their role and change from the User role to the Report Creator role. If the user is not prompted to reauthenticate before the user’s role is changed, this is a finding. Log out of the application and log back in as the User role. Access the application functionality that allows the user to escalate their privileges to an administrative user. Attempt to escalate the privileges of the user. If the user is not prompted to reauthenticate before the user is allowed to proceed with escalated privileges, this is a finding.
Configure the application to require reauthentication before user privilege is escalated and user roles are changed.
Review the application guidance and interview the application administrator. Identify the methods and manner in which application devices such as an XML gateway, SOA application gateway, or application firewall is allowed to access the application. Most devices themselves will not change role or authenticators once they are established but will need to periodically re-authenticate. Review the configuration setting in the application where the time period is set to force the device to reauthenticate. Review local policy requirements to determine if reauthentication intervals are specified. If the device is not forced to reauthenticate periodically, this is a finding.
Configure the application to require reauthentication periodically.
Review the application documentation and interview the application administrator to determine how organizational users access the application. If the application is publicly available, providing access to publicly releasable data and the users are non-organizational users such as individuals who no longer have a CAC (e.g., retirees) or members of the public with no requirement for DoD credentials, this requirement is not applicable. The requirement still applies to DoD organizational users and admins when accessing the non-public data areas or system resources of the system. Attempt to access the application and confirm that a unique user account and password or CAC token and pin are required in order to access the application. If the application does not uniquely identify and authenticate users, this is a finding.
Configure the application to uniquely identify and authenticate users and user processes.
Review the application documentation and interview the application administrator to identify application access methods. Ask the application administrator to present both their primary CAC and their Alt. Token. Ask the application administrator to log on to the application using application relevant network based access methods. Attempt to use both CAC and Alt. Tokens to authenticate to the application. Validate the application requests the user to input their CAC PIN and that they cannot perform administrative functions. Have user logoff and reauthenticate with their Alt. Token and that they can perform administrative functions. If the application allows administrative access to the application without requiring an Alt. Token, this is a finding.
Configure the application to use an Alt. Token when providing network access to privileged application accounts.
Review the application documentation and interview the application administrator to identify application access methods. If the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable. Ask the application administrator to log on to the application. Have the application admin use their non-privileged credentials. Validate the application prompts the user to provide a certificate from the CAC. If the application allows access without requiring a CAC, this is a finding.
Configure the application to require CAC authentication.
Review the application documentation and interview the application administrator to identify application access methods. If the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable. Ask the application administrator to log on to the application. Validate the application prompts the user to provide a certificate from the CAC. Validate the application requests the user to input their CAC PIN. If the application allows access without requiring a CAC, this is a finding.
Configure the application to require CAC authentication.
Review the application documentation and interview the application administrator to identify application access methods. If the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable. Ask the application administrator to log on to the application. Have the application admin use their non-privileged credentials. Validate the application prompts the user to provide a certificate from the CAC. Validate the application requests the user to input their CAC PIN. If the application allows access without requiring a CAC or Alt. Token, this is a finding.
Configure the application to require CAC or Alt. Token authentication for non-privileged network access to non-privileged accounts.
Review the application documentation and interview the application administrator to identify application access methods. Ask the application administrator to present both their primary CAC and their Alt. Token. Ask the application administrator to log on to the application using the local application console. Attempt to use both the CAC and Alt. Tokens to authenticate to the application. Validate the application requests the user to input their CAC PIN and that they cannot perform administrative functions. Have user logoff and reauthenticate with their Alt. Token and that they can perform administrative functions. If the application allows administrative access to the application without requiring an Alt. Token, this is a finding.
Configure the application to only use Alt. Tokens when locally accessing privileged application accounts.
Review the application documentation and interview the application administrator to identify application access methods. If the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable. Ask the application administrator to log on to the application. Have the application admin use their non-privileged credentials. Validate the application prompts the user to provide a certificate from the CAC. Validate the application requests the user to input their CAC PIN. If the application allows access without requiring a CAC or Alt. Token, this is a finding.
Configure the application to require CAC or Alt. Token authentication for non-privileged network access.
Review the application documentation, examine user accounts, group membership and interview the application administrator to identify group or shared accounts. Document the group or shared account information. If the application does not use group or shared accounts, this requirement is not applicable. Create a test account or use an existing group member account. Ensure the test account is not authenticated to the application and attempt to access the application with the group account credentials. If the application allows access without first requiring the group member to authenticate with their individual credentials, this is a finding.
Design and configure the application to individually authenticate group account members prior to allowing access.
Review application documentation and interview application administrator to identify what authentication mechanisms are used when accessing the application. If the application is hosting publicly releasable information that does not require authentication, or if the application users are not eligible for a DoD CAC as per DoD 8520, this requirement is not applicable. Review to ensure the application is utilizing TLSV1.2 or greater to protect communication and privileged user authentication traffic. Verify the application utilizes a strong authentication mechanism such as Kerberos, IPSEC, or Secure Shell (SSH). - Cryptographically sign web services packets. - Time stamps and cryptographic hashes are used with web services packets. - Use WS_Security for web services. Request the most recent vulnerability scan results and configuration settings. Verify the configuration is set to test for known replay vulnerabilities. Request code review results (if available) and review for issues that have been identified as potential replay attack vulnerabilities. Verify identified issues have been remediated. If the application is not implementing replay-resistant authentication methods applicable to the application architecture, this is a finding.
Design and configure the application to utilize replay-resistant mechanisms when authenticating privileged accounts.
Review the application documentation and interview the application administrator to identify what authentication mechanisms are used when accessing the application. If the application is hosting publicly releasable information that does not require authentication, or if the application users are not eligible for a DoD CAC as per DoD 8520, this requirement is not applicable. Review to ensure the application is utilizing TLSV1.2 or greater to protect communication and non-privileged user authentication traffic. Verify the application utilizes a strong authentication mechanism such as Kerberos, IPSEC, or Secure Shell (SSH). - Cryptographically sign web services packets. - Time stamps and cryptographic hashes are used with web services packets. - Use WS_Security for web services. Request the most recent vulnerability scan results and configuration settings. Verify the configuration is set to test for known replay vulnerabilities. Request code review results (if available) and review for issues that have been identified as potential replay attack vulnerabilities. Verify identified issues have been remediated. If the application is not implementing replay-resistant authentication methods applicable to the application architecture, this is a finding.
Design and configure the application to utilize replay-resistant mechanisms when authenticating non-privileged accounts.
Review the application documentation and interview the application administrator. Determine if mutual authentication is mandated by the data owner or by mission data protection objectives and data type. Review application architecture and design documents. Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application. If the design documentation specifies, this could potentially also include remote client workstations. In order for two way SSL/mutual authentication to work properly, the server must be configured to request client certificates. Access the applications management console. Navigate to the SSL management utility or web page that is used to configure two way mutual authentication. Verify endpoints are configured for client authentication (mutual authentication). Some application architectures such as Java configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application. E.g., web.xml stored in WEB-INF/ sub directory of the application root folder. Open the web.xml file using a text editor. Verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT. If SSL mutual authentication is required and is not being utilized, this is a finding.
Configure the application to utilize mutual authentication when specified by data protection requirements.
Review the application documentation, implementation documentation and interview the application administrator. Identify if the application utilizes Web Services/Service-Oriented Architecture (SOA). Using the web services framework that has been implemented, have the application administrator identify the remote devices allowed to communicate to the service provider. If the application is designed to provide end-user, interactive application access only and does not use web services or allow connections from remote devices, this requirement is not applicable. Identify the authentication mechanism used to authenticate the remote consumers/devices. Commonly available authentication methods are Client Certificate Authentication and Basic Authentication. The Basic Authentication method provides insufficient protection for authentication sessions and is not allowed. If no authentication mechanism is used to authenticate remote service consumers/devices, or if Basic Authentication is used to authentication remote service consumers/devices, this is a finding.
Configure the application to authenticate all network connected endpoint devices/service consumers before establishing connections.
Review application documentation and interview application administrator. Identify application data elements and determine if the application is handling/processing non-releasable data. Review the application architecture and design documents. Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application. If the design documentation specifies it, this could also include remote client workstations. However, this requirement is usually reserved for system-oriented endpoints rather than client workstations. In order for two way SSL/TLS mutual authentication to work properly, the server must be configured to request client certificates. Access the applications management console and navigate to the SSL/TLS management utility or web page that is used to configure two-way mutual authentication. Verify endpoints are configured for client authentication (mutual authentication). Some application architectures configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application (e.g., web.xml stored in WEB-INF/ sub directory of the application root folder). Open the web.xml file using a text editor and verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT. If SSL/TLS mutual authentication is required due to the application processing non-releasable data and SSL/TLS mutual authentication not being utilized, this is a finding.
Configure the application to utilize mutual authentication when the application is processing non-releasable data.
Review the application documentation and interview the application administrator. If the application is not designed to authenticate devices (such as mobile phones, gateways or other smart devices), or uses DoD PKI certificates to authenticate these devices, this requirement is NA. Access the user management interface for the application. Identify application device IDs. If the application utilizes approved certificates or a centralized authentication store (Active Directory or LDAP) as the authoritative source for application authentication, and the authentication store is configured to meet the requirement to disable device IDs after 35 days of inactivity, this is not a finding. Accounts such as guest and anonymous as well as roles and groups or other identities used to operate the application or to provide limited guest access are not applicable. Access the application user management interface and review the account settings that pertain to devices. Verify the application is configured to disable device accounts that have not been active or logged into the application for the past 35 days. If the application does not disable accounts used to authenticate devices after 35 days of inactivity, this is a finding.
Configure the application to disable device accounts after 35 days of inactivity or to utilize DoD PKI certificates that provide an expiration date.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to create a password shorter than 15 characters in length. If a password shorter than 15 characters can be created, this is a finding.
Configure the application to require 15 characters in the password.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to create a password that does not have one upper-case character. If a password without at least one upper-case character can be created, this is a finding.
Configure the application to require at least one upper-case character in the password.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to create a password that does not have one lower-case character. If a password without at least one lower-case character can be created, this is a finding.
Configure the application to require at least one lower-case character in the password.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to create a password that does not have one numeric character. If a password without at least one numeric character can be created, this is a finding.
Configure the application to require at least one numeric character in the password.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to create a password that does not have one special character. If a password without at least one special character can be created, this is a finding.
Configure the application to require at least one special character in the password.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. When prompted to provide the password, attempt to change less than 8 characters of the total number of characters in the password. If less than 8 characters of the password are changed, this is a finding.
Configure the application to require the change of at least 8 characters in the password when passwords are changed.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Have the application administrator identify the application's password storage locations. Potential locations include the local file system where the application is stored or in an application-related database table that should not be accessible to application users. Review application files and folders using a text editor or by using a database tool that allows you to view data stored in database tables. Look for indications of stored user information and review that information. Determine if password strings are readable/discernable. Determine if the application uses the MD5 hashing algorithm to create password hashes. If the passwords are readable or there is no indication the application utilizes cryptographic hashing to protect passwords, or if the MD5 hash algorithm is used to create password hashes, this is a finding.
Use strong cryptographic hash functions when creating password hash values. Utilize random salt values when creating the password hash. Ensure strong access control permissions on data files containing authentication data.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Identify when the application transmits passwords. This will most likely be when the user authenticates to the application or when the application authenticates to another resource. Access the application management interface with a test account and access the functionality that requires a password be provided. If the interface is via a web browser, verify the web browser has gone secure prior to entering any password or authentication information. This can be done by viewing the browser and observing a “lock” icon displayed somewhere in the browser as well as an https:// to indicate an SSL connection. Most browsers display this in the upper left hand corner. If the application is transmitting the password rather than the user, obtain design documentation from the application admin that provides the details on how they are protecting the password during transmission. This will usually be via a TLS/SSL tunneled connection or VPN. If the passwords are not encrypted when being transmitted, this is a finding.
Configure the application to encrypt passwords when they are being transmitted.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities. Attempt to change the password more than once. If a password can be changed more than once within 24 hours, the minimum lifetime setting is not set and this is a finding.
Configure the application to have a minimum password lifetime of 24 hours.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and view the user password settings page. Review user password settings and validate the application is configured to expire and force a password change after 60 days. If user passwords are not configured to expire after 60 days, or if the application does not have the ability to control this setting, this is a finding.
Configure the application to have a maximum password lifetime of 60 days.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and view the user password settings page. Review user password settings and validate the application is configured to prohibit password reuse for a minimum of 5 password generations. If the application does not prevent users from reusing their previous 5 passwords, or if the application does not have the ability to control this setting, this is a finding.
Configure the application to prohibit password reuse for up to 5 passwords.
Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication. If the application does not use passwords, the requirement is not applicable. Access the application management interface and view the user password settings page. Review user password settings and validate the application is configured to specify when a password is temporary and force a password change when the administrator either creates a new user account or changes a user’s password. If the application can not specify a password as temporary and force the user to change the temporary password upon successful authentication, this is a finding.
Configure the application to specify when a password is temporary and change the temporary password on the first use.
Review the application documentation and interview application administrator. Determine if the application utilizes passwords. If the application does not utilize passwords, the requirement is NA. Identify the processes, commands or web pages the application uses to allow application users to change their own passwords. This includes but is not limited to password resets. If the application does not allow users to change or reset their passwords, the requirement is NA. Obtain two application test accounts, referred to here as User A and User B. Access the application as User A. Utilize the application password reset or change processes and determine if User A is allowed to specify or otherwise force a password change for User B. If User A is allowed to change or force a reset of User B's password, this is a finding.
Use a CAC to authenticate users instead of using passwords. If application users are prohibited or prevented from obtaining a CAC due to DoD policy requirements and passwords are the only viable option, design the application to utilize a secure password change or password reset process. Utilize out of band (OOB) communication techniques to communicate password change requests to users. Ensure verification processes exist that allow users to validate the change request prior to implementing the password change. Ensure users are only allowed to change their own passwords.
Review the application documentation and interview the application administrator. Identify the user management functions of the application and create a test user account. Access the application and perform application functions as the test user. Access the user management functions and delete the test account while the test user sessions are still active. Verify the test user application sessions are terminated by attempting to perform additional application functions. If the test user retains access after the test account has been deleted, this is a finding.
Configure the application to terminate existing sessions of users whose accounts are deleted.
Review the application documentation, the application architecture and interview the application administrator to identify the method employed by the application for validating certificates. Review the method to determine if a certification path that includes status information is constructed when certificate validation occurs. Some applications may utilize underlying OS certificate validation and certificate path building capabilities while others may build the capability into the application itself. The certification path will include the intermediary certificate CAs along with a status of the CA server's signing certificate and will end at the trusted root anchor. If the application does not construct a certificate path to an accepted trust anchor, this is a finding.
Design the application to construct a certification path to an accepted trust anchor when using PKI-based authentication.
Review the application documentation and interview the application administrator to identify where the application's private key is stored. If the application does not perform code signing or other cryptographic tasks requiring a private key, this requirement is not applicable. Ask the administrator to demonstrate where the application private key(s) are stored. Examine access restrictions and ensure access controls are in place to restrict access to the private key(s). If the key(s) are stored on the file system, ensure adequate file permissions are set so as to only allow authorized users and processes. If the key(s) are maintained or available via an application interface, ensure the application provides access controls that limit access via the application interface to only authorized users and processes. Review access controls and attempt to use a relevant user account, group or application role that is not allowed access to the private key. Verify access to the keys is denied. If unauthorized access is granted to the private key(s), this is a finding.
Configure the application or relevant access control mechanism to enforce authorized access to the application private key(s).
Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users. Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information. If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user. If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.
Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs.
Review the application documentation and interview the system administrator to identify how the application checks certificate revocation. If the application resides on the SIPRNET and does not have access to the root CAs this requirement is not applicable. Different application frameworks may handle this requirement for the developer or the developer may have chosen to implement their own implementation for managing and implementing the CRL. Have the administrator demonstrate the process used for obtaining and importing the CRL. CAs may publish the CRL in an LDAP directory or it may be posted to an HTTP server. Verify the application is configured to import the CRL on a regular basis. Have the administrator demonstrate the configuration setting that enables CRL checking in the event the OCSP server is not available. If the application is not configured to implement a CRL, this is a finding.
Implement a Certificate Revocation List (CRL) import process and configure the application to check the CRL if OCSP is not available.