Redis Enterprise DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

An XCCDF Rule

Description

<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the DBMS (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the DBMS will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful login attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions. Organizations may define additional events requiring continuous or ad hoc auditing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251190r960879_rule
Severity: Medium
References: CCI-000169
Updated: 17 days ago

Logging verbosity on Redis Enterprise can be changed for error messages and debugging purposes. Auditing and logging levels for user actions on the control plane does not change and cannot be configured.

Configure the verbosity to the organizationally defined level:

1. Enter the relevant node and run the following commands (run on each desired node): 
- ccs-cli hset dmc:<node_id> log_level <log_level>- ccs-cli hset dmc:<node_id> mgmt_log_level <log_level>

2. Reconfigure the DMC: 
rlutil dmc_reconf dmc=<node_id>

3. Set a specific log level in the DMC for a given DB:
- ccs-cli hset bdb:<db_id> log_level <log_level> 
- rlutil dmc_reconf bdb=<db_id> 

Logging levels include:
1. Debug (DBG) - at this level, anything goes, to include whatever a developer finds useful for debugging. This level should very rarely be active in production and is intended for developers only.

2. Trace (TRC) - used for tracking specific elements' lifespan, issues a few messages (only those important for tracing element) per flow. It might be used in production, under very restrictive and careful watch, for very short periods of time.

3. Info (INF) - positive events changing the behavior of app or one of its major elements: a key component started, configuration changed, etc.

4. Warn (WRN) - events that have temporary (usually recoverable) negative impact on one or more major application elements (server went down, a temporary lack or resources, etc.), such events lead to undesired impact on many sub-elements, while others can still function properly.

5. Error (ERR) - unexpected, harmful events - a key element/component cannot function properly, there is no way to recover proper functionality until this situation is resolved (configuration in accessible, or fundamentally broken, network unreachable, etc.).

6. Fatal (FTL) - unrecoverable state. Usually, the last message (or one of very few of them) in an app's lifetime.

NOTICE: Level info (3) and above are enabled by default.

Redis Enterprise DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

Description

Remediation - Manual Procedure