Check: APAS-CF-000070
Adobe ColdFusion STIG:
APAS-CF-000070
(in version v1 r1)
Title
ColdFusion must produce log records containing information to establish what type of events occurred. (Cat III impact)
Discussion
Without sufficient logging of events, including information about what type of event occurred, it is difficult to detect, understand, or respond to suspicious or unauthorized activity within the ColdFusion application server. Comprehensive event logging is essential to support auditing, troubleshooting, and forensic analysis. ColdFusion must generate log records that capture key attributes of events, such as event type, source, outcome, and affected components. This information enables security personnel to determine the nature of an event, assess its impact, and trace it back to a user or process. Failure to produce detailed and complete logs can result in missed detection of security incidents, hinder incident response efforts, and reduce overall situational awareness. Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072
Check Content
Verify neo-logging.xml Log Pattern configuration. 1. Open the neo-logging.xml file located at: <ColdFusion_Installation_Directory>\lib\neo-logging.xml 2. Examine the <var name='pattern'/> element. Review the value assigned to this element. Verify the log pattern configuration. 3. Confirm the value is: <string>"%p","%t",%d{"MM/dd/yy","HH:mm:ss"},"%a","%m%z"%n</string> OR Ensure the following pattern definition is included: - The pattern includes the %d (date/time) pattern definition with the appropriate format (MM/dd/yy and HH:mm:ss). - The pattern includes the %m (message) pattern. If the neo-logging.xml file is missing or cannot be located, this is a finding. If the <var name='pattern'/> element does not contain the exact required pattern, this is a finding. If the pattern does not include the %d token with the required date/time format, this is a finding. If the pattern does not include the %m (message) token, this is a finding.
Fix Text
1. Locate the neo-logging.xml file for ColdFusion: <ColdFusion_Installation_Directory>\lib\neo-logging.xml 2. After creating a backup of this file, edit it and locate the <var name='pattern'/> element. 3. Set the value of this element to include all pertinent fields, for example: <string>"%p","%t",%d{"MM/dd/yy","HH:mm:ss"},"%a","%m%z"%n</string>
Additional Identifiers
Rule ID: SV-279034r1171436_rule
Vulnerability ID: V-279034
Group Title: SRG-APP-000095-AS-000056
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |