The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000120-AS-000080

Associated with: CCI-000164

SV-76871r1_rule The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.

Vulnerability discussion

When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect the log information from deletion and discover the attacker quickly, the log files must be protected. This protection must take place at both the Administrator Console and at the OS level. Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties. At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.

Check content

Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only users given the responsibility to delete logs should have the Debugging and Logging>Logging role assigned. If any user, other than those assigned the capability to delete logs, is assigned this role, this is a finding.

Fix text

Enable the Debugging and Logging>Logging role for those users that require the ability to delete log files. This parameter is set in the "User Manager" page under the "Security" menu.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer