Rule ID
SV-279070r1172833_rule
Version
V1R1
CCIs
CCI-001199, CCI-000139, CCI-001348, CCI-001350, CCI-001876, CCI-001496, CCI-001851, CCI-001858, CCI-003831
ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations. Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred. SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity. Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130
Verify SIEM.
1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents:
module(load="imfile" PollingInterval="10")
input(type="imfile"
File="<CF install path>/<instance name>/logs/coldfusion-out.log"
Tag="coldfusion-out"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/coldfusion-error.log"
Tag="coldfusion-error"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/cfpm-audit.log"
Tag="cfpm-audit"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/audit.log"
Tag="audit"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/http.log"
Tag="http"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/mail.log"
Tag="mail"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/monitor.log"
Tag="monitor"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/server.log"
Tag="server"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/usagedata.log"
Tag="usagedata"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/update.log"
Tag="update"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/application.log"
Tag="application"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/exception.log"
Tag="exception"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/reporting.log"
Tag="reporting"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/axis2.log"
Tag="axis2"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/eventgateway.log"
Tag="eventgateway"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/license.log"
Tag="license"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/security.log"
Tag="security"
Facility="<instance name>")
input(type="imfile"
File="<CF install path>/<instance name>/logs/webservice.log"
Tag="webservice"
Facility="<instance name>")
If the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding.
2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/.
If there is no forwarding action with type="omfwd", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding.
For additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.Configure SIEM.
1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server.
Example:
module(load="imfile" PollingInterval="10")
cat > /etc/rsyslog.d/101-cfusion.conf << EOF
module(load="imfile" PollingInterval="10")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/coldfusion-out.log"
Tag="coldfusion-out"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/coldfusion-error.log"
Tag="coldfusion-error"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/cfpm-audit.log"
Tag="cfpm-audit"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/audit.log"
Tag="audit"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/http.log"
Tag="http"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/mail.log"
Tag="mail"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/monitor.log"
Tag="monitor"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/server.log"
Tag="server"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/usagedata.log"
Tag="usagedata"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/update.log"
Tag="update"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/application.log"
Tag="application"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/exception.log"
Tag="exception"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/reporting.log"
Tag="reporting"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/axis2.log"
Tag="axis2"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/eventgateway.log"
Tag="eventgateway"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/license.log"
Tag="license"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/security.log"
Tag="security"
Facility="cfusion")
input(type="imfile"
File="/opt/coldfusion2023/cfusion/logs/webservice.log"
Tag="webservice"
Facility="cfusion")
2. Add the following to /etc/rsyslog.conf:
*.* action(type="omfwd" target="<remote rsyslog IP address>" port="10514" protocol="tcp")
3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.