STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not write sensitive data into the application logs.

DISA Rule

SV-222444r508029_rule

Vulnerability Number

V-222444

Group Title

SRG-APP-000089

Rule Version

APSC-DV-000650

Severity

CAT II

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Design or reconfigure the application to not write sensitive data to the logs.

Check Contents

Review the application logs and identify application logging format. Using the format of the log and the requisite search data as a guide to create your search, create search strings that could successfully identify the existence of passwords, session IDs, or other sensitive information such as SSN.

Utilizing the UNIX grep-based search utility include the following examples which are meant to illustrate the purpose of the requirement.

Password values are usually associated with usernames so searching for "username" in the provided log file will often assist in determining if password values are included.

grep -i "username" < logfile.txt

Search for social security numbers in the provided log file.

grep -i "[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}" < logfile.txt

Use regular expressions to aid in searching log files. All search syntax cannot be provided within the STIG, the reviewer must utilize their knowledge to create new search criteria based upon the log format used and the potentially sensitive data processed by the application.

If the application logs sensitive data such as session IDs, application source code, encryption keys, or passwords, this is a finding.

Vulnerability Number

V-222444

Documentable

False

Rule Version

APSC-DV-000650

Severity Override Guidance

Review the application logs and identify application logging format. Using the format of the log and the requisite search data as a guide to create your search, create search strings that could successfully identify the existence of passwords, session IDs, or other sensitive information such as SSN.

Utilizing the UNIX grep-based search utility include the following examples which are meant to illustrate the purpose of the requirement.

Password values are usually associated with usernames so searching for "username" in the provided log file will often assist in determining if password values are included.

grep -i "username" < logfile.txt

Search for social security numbers in the provided log file.

grep -i "[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}" < logfile.txt

Use regular expressions to aid in searching log files. All search syntax cannot be provided within the STIG, the reviewer must utilize their knowledge to create new search criteria based upon the log format used and the potentially sensitive data processed by the application.

If the application logs sensitive data such as session IDs, application source code, encryption keys, or passwords, this is a finding.

Check Content Reference

M

Target Key

4093

Comments