An error occurred:

Check: APAS-CF-000490

Adobe ColdFusion STIG: APAS-CF-000490 (in version v1 r1)

Title

ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications. (Cat II impact)

Discussion

ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations. Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred. SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity. Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130

Check Content

Verify SIEM. 1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents: module(load="imfile" PollingInterval="10") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/audit.log" Tag="audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/http.log" Tag="http" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/mail.log" Tag="mail" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/monitor.log" Tag="monitor" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/server.log" Tag="server" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/usagedata.log" Tag="usagedata" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/update.log" Tag="update" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/application.log" Tag="application" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/exception.log" Tag="exception" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/reporting.log" Tag="reporting" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/axis2.log" Tag="axis2" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/eventgateway.log" Tag="eventgateway" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/license.log" Tag="license" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/security.log" Tag="security" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/webservice.log" Tag="webservice" Facility="<instance name>") If the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding. 2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/. If there is no forwarding action with type="omfwd", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding. For additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.

Fix Text

Configure SIEM. 1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server. Example: module(load="imfile" PollingInterval="10") cat > /etc/rsyslog.d/101-cfusion.conf << EOF module(load="imfile" PollingInterval="10") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/audit.log" Tag="audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/http.log" Tag="http" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/mail.log" Tag="mail" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/monitor.log" Tag="monitor" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/server.log" Tag="server" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/usagedata.log" Tag="usagedata" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/update.log" Tag="update" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/application.log" Tag="application" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/exception.log" Tag="exception" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/reporting.log" Tag="reporting" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/axis2.log" Tag="axis2" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/eventgateway.log" Tag="eventgateway" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/license.log" Tag="license" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/security.log" Tag="security" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/webservice.log" Tag="webservice" Facility="cfusion") 2. Add the following to /etc/rsyslog.conf: *.* action(type="omfwd" target="<remote rsyslog IP address>" port="10514" protocol="tcp") 3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.

Additional Identifiers

Rule ID: SV-279070r1172833_rule

Vulnerability ID: V-279070

Group Title: SRG-APP-000231-AS-000156

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000139

Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.
CCI-001348

Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited.
CCI-001350

Implement cryptographic mechanisms to protect the integrity of audit information.
CCI-001496

Implement cryptographic mechanisms to protect the integrity of audit tools.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.
CCI-001858

Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.
CCI-001876

Provide an audit reduction capability that supports on-demand reporting requirements.
CCI-003831

Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage
AU-5

Response to Audit Logging Process Failures
AU-5(2)

Real-time Alerts
AU-7

Audit Record Reduction and Report Generation
AU-9

Protection of Audit Information
AU-9(2)

Store on Separate Physical Systems or Components
AU-9(3)

Cryptographic Protection
SC-28

Protection of Information at Rest