STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279036

CAT II (Medium)

The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.

Rule ID

SV-279036r1171601_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000162, CCI-000163, CCI-000164, CCI-001314

Discussion

ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or configuration data. If these log files are not properly protected through restrictive file ownership and permissions, unauthorized users could read, alter, or delete the log data, resulting in a loss of audit integrity, undetected malicious activity, or exposure of sensitive operational details. Setting appropriate file ownership ensures that only authorized ColdFusion administrators or designated service accounts have access to the logs, reducing the risk of compromise. This control supports the confidentiality, integrity, and availability of log data. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000267-AS-000170

Check Content

Verify that the log directories for each ColdFusion instance are secured with appropriate ownership and permissions.

1. Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings.

2. For ColdFusion running on Windows, the logs directory and all files within it must have Full Control granted to:
- The Administrators group.
- The user account running the ColdFusion service.

If any directory or file permissions do not meet this requirement, this is a finding.

3. For ColdFusion running on Linux, the logs directory and all files within it must have:
- "Owner" set to the user running ColdFusion.
- "Group ownership" set to root.
- "Permissions" set to 740 or more restrictive.

If ownership or permissions do not meet this requirement, this is a finding.

Fix Text

Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings.

For ColdFusion running on Windows:
1. Right-click the logs directory and select "Properties".

2. Click the Security tab and then click "Advanced".

3. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object".

4. Click "Add".
- In the Permission Entry dialog box, click "Select a principal".
- Enter the user account running the ColdFusion service.
- Grant Full Control and click "OK".

5. Click "Add" again.
- In the Permission Entry dialog, click "Select a principal".
- Enter the Administrators group.
- Grant full control and click "OK".

6. Check "Replace all child object permission entries with inheritable permission entries from this object".

7. Click "OK" to apply the permissions.

For ColdFusion running on Linux:
Set ownership and permissions using the following commands, replacing the path and user as appropriate:

chown -R <cfuser>:root /path/to/logs
chmod -R 740 /path/to/logs

Note: Required permissions are automatically set by the Auto-Lockdown Installer.