WBLC-01-000018 - Oracle WebLogic must automatically audit account creation - Auditing Provider

Information

Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist.

An application server could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.

Solution

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Providers' tab -> 'Auditing' tab
5. Utilize 'Change Center' to create a new change session
6. Click 'New'. Enter a value in 'Name' field and select an auditing provider type (ex: DefaultAuditor) in the 'Type' dropdown. Click 'OK'.
7. From 'Domain Structure', select the top-level domain link
8. Click 'Advanced' near the bottom of the page
9. Set 'Configuration Audit Type' dropdown to 'Change Log and Audit'
10. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|II, CCI|CCI-000018, Rule-ID|SV-235933r628577_rule, STIG-ID|WBLC-01-000018, STIG-Legacy|SV-70469, STIG-Legacy|V-56215, Vuln-ID|V-235933

Plugin: Windows

Control ID: 142ca003a6b224958d62ba4b6a1d6a673963bda13764f851c6064ef67ec2a5d2