STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 4 Release: 9 Benchmark Date: 25 Jan 2019: The application must map the authenticated identity to the individual user or group account for PKI-based authentication.

DISA Rule

SV-84775r1_rule

Vulnerability Number

V-70153

Group Title

SRG-APP-000177

Rule Version

APSC-DV-001830

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs.

Check Contents

Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users.

Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information.

If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user.

If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.

Vulnerability Number

V-70153

Documentable

False

Rule Version

APSC-DV-001830

Severity Override Guidance

Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users.

Access the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information.

If the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user.

If the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.

Check Content Reference

M

Target Key

3009

Comments