An error occurred:

Check: ML09-00-007200

MarkLogic Server v9 STIG: ML09-00-007200 (in versions v2 r2 through v1 r1)

Title

MarkLogic Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. (Cat II impact)

Discussion

To ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism. The task of allocating audit record storage capacity is usually performed during initial installation of the DBMS and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both. In determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the DBMS's ability to reuse the space formerly occupied by off-loaded records.

Check Content

Investigate whether there have been any incidents where the MarkLogic server ran out of audit log space since the last time the space was allocated or other corrective measures were taken. If there have been, this is a finding.

Fix Text

All MarkLogic logs, including audits, are stored within the Data directory (i.e., /var/opt/MarkLogic/Logs). MarkLogic requires the lesser of 2x the content forest size, or 96GB of free space. System Administrators must ensure/configure between 1.5 and 3x free disk space for normal operations.

Additional Identifiers

Rule ID: SV-220380r879730_rule

Vulnerability ID: V-220380

Group Title: SRG-APP-000357-DB-000316

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001849

The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4

Audit Storage Capacity