Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-220351 | ML09-00-002100 | SV-220351r960936_rule | Medium |
Description |
---|
If audit data becomes compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods depending on system architecture and design. Some commonly employed methods include: ensuring log files employ the proper file system permissions, utilizing file system protections, restricting access; and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. When auditing is enabled, MarkLogic Server writes audit events to the AuditLog.txt file. Each host in a cluster maintains its own audit log files. Some actions might trigger multiple audit events, and those events might be logged over multiple hosts, as events are audited on the host in which the event occurs. For more information about the audit events, see Auditable Events. Note the following about the audit event log files: - Writes messages to AuditLog.txt file for various events. - Each event has a timestamp, event type, user, role, and other information relevant to the event (for example, document URI for document-read event). For an example of log entries, see Sample Audit Logs. - How often to rotate the audit files (similar to the log files, as described in Log Files) can be configured. - The Audit log files are stored in the same directory as the Access log files (port_AccessLog.txt) and the Error log files (ErrorLog.txt), which is in the <marklogic-data-dir>/Logs directory. These files are private to the host in which the audit event occurred. - View the current or any archived file log at any time using standard text file viewing tools. Additionally, the log files can be accessed from the Log tab on the main page of the Admin Interface. Deletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database. |
STIG | Date |
---|---|
MarkLogic Server v9 Security Technical Implementation Guide | 2024-06-12 |
Check Text ( C-22066r401504_chk ) |
---|
Review controls and permissions are sufficient to protect audit log files from unauthorized access at the operating-system level. Verify User ownership, Group ownership, and permissions on the "audit" file: > ls -al /var/opt/MarkLogic/Logs/AuditLog.txt If the User owner is not "daemon", this is a finding If the Group owner is not "daemon", this is a finding. If the directory is more permissive than 700, this is a finding. |
Fix Text (F-22055r401505_fix) |
---|
Apply controls and modify permissions to protect audit log files from unauthorized access at the operating-system level. Change owner and group of /var/opt/MarkLogic/Logs to user daemon from the command line with a privileged user: > chown daemon.daemon /var/opt/MarkLogic/Logs Change permissions of /var/opt/MarkLogic/Logs to 700 (rwx by owner only) from the command line > chmod 700 /var/opt/MarkLogic/Logs |