The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62377	CF11-02-000050	SV-76867r1_rule		Medium

Description
Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers. Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.

Description

Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers. Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63181r1_chk )
Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have Full control for the Administrators group and the user running ColdFusion. ColdFusion running on Linux should have the permissions set to "750" or more restrictive. If the permissions are not set correctly for the log directory and log files, this is a finding.

Check Text ( C-63181r1_chk )

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions:

ColdFusion running on Windows should have Full control for the Administrators group and the user running ColdFusion.

ColdFusion running on Linux should have the permissions set to "750" or more restrictive.

If the permissions are not set correctly for the log directory and log files, this is a finding.

Fix Text (F-68297r1_fix)
Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object". 9. Click "OK" to apply these permissions. ColdFusion running on Linux Use the chmod command to set the permissions correctly. For example, if the log directory is located at /opt/cf11/cfusion/logs, the command would be: chmod -R 750 /opt/cf11/cfusion/logs

Fix Text (F-68297r1_fix)

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by:

ColdFusion running on Windows
1. Right click on the logs directory for ColdFusion and select "Properties".
2. Click on the "Security" tab and then click the "Advanced" button.
3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object."
4. Click the "Add" button, in the permission Entry dialog, click "Select a principal."
5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save.
6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal."
7. Enter the Administrators group and give the group Full control and click "OK" to save.
8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object".
9. Click "OK" to apply these permissions.

ColdFusion running on Linux
Use the chmod command to set the permissions correctly. For example, if the log directory is located at /opt/cf11/cfusion/logs, the command would be:
chmod -R 750 /opt/cf11/cfusion/logs