Add security audit logging to gather login info Hot

by David Goodale on February 21, 2017

Need to provide application level add audit logging for logins, logouts and password changes.

Log the following information at the SSO level.

  • Type of event (log off, log on, password change)
  • User_id
  • Date and Time
  • Device ID  (ip address and/or hostname)
  • All login attempts successful or failed.
  • Log off Creation, deletion or alteration of passwords
  • Ideas

    Tags
    Target Release
    2HCY'17
  • Please login to view any attachments.

  • This would include audits for users logging in with both username/password, and CAC?
    Beth Commented by Beth March 24, 2017
    Top 500 Reviewer  -  

    This would include audits for users logging in with both username/password, and CAC?

    Also would like 30,60,90 auto-account disabling for dormant activity. Actions should be deactivate, Click Here to accept TOE again, or have an account admin approve reactivation. Reporting on all of this is key for C&A validation.

    I have not tried LDAP integration but what often occurs is a system that uses LDAP does not record an actual Login for that user in AD. So an AD that is configured to DoD standards disables a user account for inactivity even though it is active but only through SBM.

    On this same topic, ability to disable identity transformation from X509 fields would be useful. Then have an account "subject" field explicitly define each user, essentially having a GUI for cert_2_user_mapping.xml. Then changes to these fields fall under same auditing umbrella as other Sec Audit objects. Send all of this to separate DB or syslog destination.

    All of these capability requirements are touched on in Application Server, Website, Network Management, and Enclave Computing stigs. They repeatedly ask for all these same things.
    Richard Weedon Commented by Richard Weedon March 20, 2017
    Top 500 Reviewer  -  

    Also would like 30,60,90 auto-account disabling for dormant activity. Actions should be deactivate, Click Here to accept TOE again, or have an account admin approve reactivation. Reporting on all of this is key for C&A validation.

    I have not tried LDAP integration but what often occurs is a system that uses LDAP does not record an actual Login for that user in AD. So an AD that is configured to DoD standards disables a user account for inactivity even though it is active but only through SBM.

    On this same topic, ability to disable identity transformation from X509 fields would be useful. Then have an account "subject" field explicitly define each user, essentially having a GUI for cert_2_user_mapping.xml. Then changes to these fields fall under same auditing umbrella as other Sec Audit objects. Send all of this to separate DB or syslog destination.

    All of these capability requirements are touched on in Application Server, Website, Network Management, and Enclave Computing stigs. They repeatedly ask for all these same things.

    We'll put this under consideration for the 2HCY'17 release.
    David J. Easter Commented by David J. Easter March 16, 2017
    #1 Reviewer  -  

    We'll put this under consideration for the 2HCY'17 release.

     

PrintEmail

Recent Tweets