V-279037

Discussion

Log management tools within ColdFusion provide access to view, analyze, and sometimes modify application log data. If file ownership and permissions for these tools are not properly restricted, unauthorized users could gain access to audit logs, modify or delete critical records, or bypass detection mechanisms. This not only compromises the integrity and availability of audit data but also undermines the organization's ability to detect and respond to security incidents. Properly assigning file ownership and enforcing least privilege permissions ensures that only authorized administrators or service accounts have access to these tools. This reduces the risk of log tampering or exposure of sensitive information. Satisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083

Check Content

For ColdFusion running on Windows:
1. For each ColdFusion instance, navigate to: 
<ColdFusion_Installation_Directory>\cfusion\runtime\conf
<ColdFusion_Installation_Directory>\cfusion\runtime\lib

2. The logs directory and all files within it must have Full Control granted to the Administrators group and the user account running the ColdFusion service.

If any directory or file permissions do not meet this requirement, this is a finding.

For ColdFusion running on Linux:
1. Navigate to: 
<ColdFusion_Installation_Directory>/cfusion/runtime/conf
<ColdFusion_Installation_Directory>/cfusion/runtime/lib

2. The logs tools directory and all files within it must have:
- "Owner" set to the user running ColdFusion.
- "Group ownership" set to root.
- "Permissions" set to 640 or more restrictive.

If ownership or permissions do not meet this requirement, this is a finding.