The WebSphere Liberty Server must generate log records for authentication and authorization events.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-250350	SRG-APP-000499-AS-000224	IBMW-LS-001190	SV-250350r961812_rule	2025-02-11	2

Description
Enabling authentication (SECURITY_AUTHN) and authorization (SECURITY_AUTHZ) event handlers configures the server to record security authorization and authentication events. By logging these events, the logs can be analyzed to identify activity that could be related to security events and to aid post mortem forensic analysis. Satisfies: SRG-APP-000499-AS-000224, SRG-APP-000495-AS-000220, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000509-AS-000234, SRG-APP-000092-AS-000053

Description

Enabling authentication (SECURITY_AUTHN) and authorization (SECURITY_AUTHZ) event handlers configures the server to record security authorization and authentication events. By logging these events, the logs can be analyzed to identify activity that could be related to security events and to aid post mortem forensic analysis. Satisfies: SRG-APP-000499-AS-000224, SRG-APP-000495-AS-000220, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000509-AS-000234, SRG-APP-000092-AS-000053

ℹ️ Check
Review the ${server.config.dir}/server.xml file, verify the audit-1.0 feature is enabled. Also verify the auditFile Handler is configured to log AUTHN and AUTHZ events. If the audit1.0 feature is not enabled, this is a finding. If the SECURITY_AUTHN and SECURITY_AUTHZ event handlers are not configured, this is a finding. <featureManager> <feature>audit-1.0</feature> </featureManager> <auditFileHandler> <events name="AllAuthn" eventName="SECURITY_AUTHN" /> <events name="AllAuthz" eventName="SECURITY_AUTHZ" /> </auditFileHandler>

ℹ️ Check

Review the ${server.config.dir}/server.xml file, verify the audit-1.0 feature is enabled. Also verify the auditFile Handler is configured to log AUTHN and AUTHZ events. If the audit1.0 feature is not enabled, this is a finding. If the SECURITY_AUTHN and SECURITY_AUTHZ event handlers are not configured, this is a finding. <featureManager> <feature>audit-1.0</feature> </featureManager> <auditFileHandler> <events name="AllAuthn" eventName="SECURITY_AUTHN" /> <events name="AllAuthz" eventName="SECURITY_AUTHZ" /> </auditFileHandler>

✔️ Fix
Modify the ${server.config.dir}/server.xml file and configure the audit-1.0 feature. <featureManager> <feature>audit-1.0</feature> </featureManager> Configure the auditFileHandler setting to record SECURITY_AUTHN and SECURITY_AUTHZ events. <auditFileHandler> <events name="AllAuthn" eventName="SECURITY_AUTHN"/> <events name="AllAuthz" eventName="SECURITY_AUTHZ" /> </auditFileHandler> Review audit logs located under the ${server.config.dir}/logs directory and ensure AUTHN and AUTHZ events are logged.

✔️ Fix

Modify the ${server.config.dir}/server.xml file and configure the audit-1.0 feature. <featureManager> <feature>audit-1.0</feature> </featureManager> Configure the auditFileHandler setting to record SECURITY_AUTHN and SECURITY_AUTHZ events. <auditFileHandler> <events name="AllAuthn" eventName="SECURITY_AUTHN"/> <events name="AllAuthz" eventName="SECURITY_AUTHZ" /> </auditFileHandler> Review audit logs located under the ${server.config.dir}/logs directory and ensure AUTHN and AUTHZ events are logged.