The audit information produced by MarkLogic Server must be protected from unauthorized modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-220350	ML09-00-002000	SV-220350r622777_rule		Medium

Description
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods that will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Modification of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database. When auditing is enabled, MarkLogic Server writes audit events to the AuditLog.txt file. Each host in a cluster maintains its own audit log files. Some actions might trigger multiple audit events, and those events might be logged over multiple hosts, as events are audited on the host in which the event occurs. For more information about the audit events, see Auditable Events. Note the following about the audit event log files: - Writes messages to AuditLog.txt file for various events. - Each event has a timestamp, event type, user, role, and other information relevant to the event (e.g., document URI for document-read event). For an example of log entries, see Sample Audit Logs. - How often to rotate the audit files (similar to the log files, as described in Log Files) can be configured. - The Audit log files are stored in the same directory as the Access log files (port_AccessLog.txt) and the Error log files (ErrorLog.txt), which is in the <marklogic-data-dir>/Logs directory. These files are private to the host in which the audit event occurred. - View the current or any archived file log at any time using standard text file viewing tools. Additionally, the log files can be accessed from the Log tab on the main page of the Admin Interface.

Description

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods that will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Modification of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database. When auditing is enabled, MarkLogic Server writes audit events to the AuditLog.txt file. Each host in a cluster maintains its own audit log files. Some actions might trigger multiple audit events, and those events might be logged over multiple hosts, as events are audited on the host in which the event occurs. For more information about the audit events, see Auditable Events. Note the following about the audit event log files: - Writes messages to AuditLog.txt file for various events. - Each event has a timestamp, event type, user, role, and other information relevant to the event (e.g., document URI for document-read event). For an example of log entries, see Sample Audit Logs. - How often to rotate the audit files (similar to the log files, as described in Log Files) can be configured. - The Audit log files are stored in the same directory as the Access log files (port_AccessLog.txt) and the Error log files (ErrorLog.txt), which is in the <marklogic-data-dir>/Logs directory. These files are private to the host in which the audit event occurred. - View the current or any archived file log at any time using standard text file viewing tools. Additionally, the log files can be accessed from the Log tab on the main page of the Admin Interface.

STIG	Date
MarkLogic Server v9 Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-22065r401501_chk )
Review controls and permissions are sufficient to protect audit log files from unauthorized access at the operating-system level. Verify User ownership, Group ownership, and permissions on the "audit" file: > ls -al /var/opt/MarkLogic/Logs/AuditLog.txt If the User owner is not "daemon", this is a finding If the Group owner is not "daemon", this is a finding. If the directory is more permissive than 700, this is a finding.

Check Text ( C-22065r401501_chk )

Review controls and permissions are sufficient to protect audit log files from unauthorized access at the operating-system level.

Verify User ownership, Group ownership, and permissions on the "audit" file:
> ls -al /var/opt/MarkLogic/Logs/AuditLog.txt

If the User owner is not "daemon", this is a finding
If the Group owner is not "daemon", this is a finding.
If the directory is more permissive than 700, this is a finding.

Fix Text (F-22054r401502_fix)
Apply controls and modify permissions to protect audit log files from unauthorized access at the operating-system level. Change owner and group of /var/opt/MarkLogic/Logs to user daemon from the command line with a privileged user: > chown daemon.daemon /var/opt/MarkLogic/Logs Change permissions of /var/opt/MarkLogic/Logs to 700 (rwx by owner only) from the command line > chmod 700 /var/opt/MarkLogic/Logs

Fix Text (F-22054r401502_fix)

Apply controls and modify permissions to protect audit log files from unauthorized access at the operating-system level.

Change owner and group of /var/opt/MarkLogic/Logs to user daemon from the command line with a privileged user:
> chown daemon.daemon /var/opt/MarkLogic/Logs

Change permissions of /var/opt/MarkLogic/Logs to 700 (rwx by owner only) from the command line
> chmod 700 /var/opt/MarkLogic/Logs