The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279036	SRG-APP-000118-AS-000078	APAS-CF-000120	SV-279036r1171601_rule	2025-12-19	1

Description
ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or configuration data. If these log files are not properly protected through restrictive file ownership and permissions, unauthorized users could read, alter, or delete the log data, resulting in a loss of audit integrity, undetected malicious activity, or exposure of sensitive operational details. Setting appropriate file ownership ensures that only authorized ColdFusion administrators or designated service accounts have access to the logs, reducing the risk of compromise. This control supports the confidentiality, integrity, and availability of log data. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000267-AS-000170

Description

ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or configuration data. If these log files are not properly protected through restrictive file ownership and permissions, unauthorized users could read, alter, or delete the log data, resulting in a loss of audit integrity, undetected malicious activity, or exposure of sensitive operational details. Setting appropriate file ownership ensures that only authorized ColdFusion administrators or designated service accounts have access to the logs, reducing the risk of compromise. This control supports the confidentiality, integrity, and availability of log data. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000267-AS-000170

ℹ️ Check
Verify that the log directories for each ColdFusion instance are secured with appropriate ownership and permissions. 1. Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings. 2. For ColdFusion running on Windows, the logs directory and all files within it must have Full Control granted to: - The Administrators group. - The user account running the ColdFusion service. If any directory or file permissions do not meet this requirement, this is a finding. 3. For ColdFusion running on Linux, the logs directory and all files within it must have: - "Owner" set to the user running ColdFusion. - "Group ownership" set to root. - "Permissions" set to 740 or more restrictive. If ownership or permissions do not meet this requirement, this is a finding.

ℹ️ Check

Verify that the log directories for each ColdFusion instance are secured with appropriate ownership and permissions. 1. Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings. 2. For ColdFusion running on Windows, the logs directory and all files within it must have Full Control granted to: - The Administrators group. - The user account running the ColdFusion service. If any directory or file permissions do not meet this requirement, this is a finding. 3. For ColdFusion running on Linux, the logs directory and all files within it must have: - "Owner" set to the user running ColdFusion. - "Group ownership" set to root. - "Permissions" set to 740 or more restrictive. If ownership or permissions do not meet this requirement, this is a finding.

✔️ Fix
Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings. For ColdFusion running on Windows: 1. Right-click the logs directory and select "Properties". 2. Click the Security tab and then click "Advanced". 3. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object". 4. Click "Add". - In the Permission Entry dialog box, click "Select a principal". - Enter the user account running the ColdFusion service. - Grant Full Control and click "OK". 5. Click "Add" again. - In the Permission Entry dialog, click "Select a principal". - Enter the Administrators group. - Grant full control and click "OK". 6. Check "Replace all child object permission entries with inheritable permission entries from this object". 7. Click "OK" to apply the permissions. For ColdFusion running on Linux: Set ownership and permissions using the following commands, replacing the path and user as appropriate: chown -R <cfuser>:root /path/to/logs chmod -R 740 /path/to/logs Note: Required permissions are automatically set by the Auto-Lockdown Installer.

✔️ Fix

Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings. For ColdFusion running on Windows: 1. Right-click the logs directory and select "Properties". 2. Click the Security tab and then click "Advanced". 3. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object". 4. Click "Add". - In the Permission Entry dialog box, click "Select a principal". - Enter the user account running the ColdFusion service. - Grant Full Control and click "OK". 5. Click "Add" again. - In the Permission Entry dialog, click "Select a principal". - Enter the Administrators group. - Grant full control and click "OK". 6. Check "Replace all child object permission entries with inheritable permission entries from this object". 7. Click "OK" to apply the permissions. For ColdFusion running on Linux: Set ownership and permissions using the following commands, replacing the path and user as appropriate: chown -R <cfuser>:root /path/to/logs chmod -R 740 /path/to/logs Note: Required permissions are automatically set by the Auto-Lockdown Installer.