Rule ID
SV-222463r961827_rule
Version
V6R4
CCIs
Privileged activities include the tasks or actions taken by users in an administrative role (admin, backup operator, manager, etc.) which are used to manage or reconfigure application function. Examples include but are not limited to: Modifying application logging verbosity, starting or stopping of application services, application user account management, managing application functionality, or otherwise changing the underlying application capabilities such as adding a new application module or plugin. Privileged access does not include an application design which does not modify the application but does provide users with the functionality or the ability to manage their own user specific preferences or otherwise tailor the application to suit individual user needs based upon choices or selections built into the application.
Review and monitor the application logs. Authenticate to the application as a privileged user and observe if the log includes an entry to indicate the user’s authentication was successful. Perform actions as an admin or other privileged user such as modifying the logging verbosity, or starting or stopping an application service, or terminating a test user session. If log events that correspond with the actions performed are not recorded in the logs, this is a finding.
Configure the application to write a log entry when privileged activities or other system-level events occur.