Detections
Analytics
WBLC-02-000065 - Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.
Information
Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external auditing tool that provides this capability.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
1. Access AC2. From 'Domain Structure', select 'Services' -> 'Data Sources'
3. Utilize 'Change Center' to create a new change session
4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND
5. Enter database details and JNDI name, click through wizard
6. Select all servers and clusters available as targets to deploy this data source to
7. Finish creating the data source and record the JNDI name
8. Access EM
9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration'
10. Beneath 'Audit Service' section, click 'Configure' button
11. Set the values for the IAU_APPEND schema and save configuration
12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V2R1_STIG.zip
Item Details
Audit Name: Oracle WebLogic Server 12c Linux v2r1 Middleware
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12(1), CAT|III, CCI|CCI-000174, Rule-ID|SV-235940r628598_rule, STIG-ID|WBLC-02-000065, STIG-Legacy|SV-70483, STIG-Legacy|V-56229, Vuln-ID|V-235940
Plugin: Unix
Control ID: a8fe5e373ff677076b320c2dbdaab562ec1a81960f8003d40e6ff5dad6e50093