MarkLogic Server DBMS must generate audit records when security objects are deleted.

An XCCDF Rule

Description

<VulnDiscussion>The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-220404r879872_rule
Severity: Medium
References: CCI-000172
Updated: 9 months ago

Configure MarkLogic to produce audit records when security objects are deleted.

Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges.

1. Click the Groups icon.
2. Click the group in which the configuration to be checked resides (e.g., Default).3. Click the Auditing icon on the left tree menu.
4. Set the audit enabled field to true.
5. Enable user-role-removal and security-access events for auditing.
6. Enable "both" for the audit restriction under the outcome selection.
7. Ensure no roles, URIs, or users are identified in the audit restrictions, unless documented in the System Security Plan.

MarkLogic Server DBMS must generate audit records when security objects are deleted.

Description

Remediation - Manual Procedure