WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured.

Information

Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.

Remote access by administrators requires that the admin activity be logged.

Application servers provide a web and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.

Satisfies: SRG-APP-000016-AS-000013, SRG-APP-000343-AS-000030, SRG-APP-000089-AS-000050, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000093-AS-000054, SRG-APP-000095-AS-000056, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000381-AS-000089, SRG-APP-000080-AS-000045

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

In the administrative console, navigate to Security >> Security auditing >> Event type Filters.

Click the 'New' button to create a new filter; give it a unique name.

Select SECURITY_AUTHN, SECURITY_AUTHZ, SECURITY_AUTHN_TERMINATE, and ADMIN_REPOSITORY_SAVE from 'Selectable events'.

Add them to the 'Enabled events' box by clicking on the right arrow.

Select INFO, ERROR, SUCCESS, DENIED, REDIRECT, and WARNING from the 'Selectable event outcomes' box.

Click the right arrow to fill in 'Enabled events outcomes' box.

Click 'OK'.

Restart the DMGR and all the JVMs.

See Also

http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip