Rule: Database logging should be enabled
This rule ensures database logging is enabled for security and compliance purposes.
| Rule | Database logging should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description
The rule requires enabling database logging for systems operating at the FedRAMP Moderate level, as per Revision 4 of the FedRAMP guidelines. Enabling database logging helps in monitoring and recording all database activities for security analysis, auditing, and detecting potential security incidents.
Troubleshooting Steps
- 1.Check if the database logging feature is supported by your database management system (DBMS). Not all DBMSs offer built-in database logging functionality. Ensure that your DBMS supports this feature before proceeding.
- 2.Verify if the database logging option is currently enabled or disabled. This can be done by checking the configuration settings of your DBMS.
- 3.Ensure that you have the necessary privileges or access rights to enable database logging. If you are not the database administrator, contact the appropriate person or team responsible for managing the database.
- 4.If the database logging feature is supported but not enabled, follow the remediation steps outlined below.
Remediation Steps
The remediation steps may vary depending on the specific database management system in use. The following steps provide a general guideline for enabling database logging:
Note: These steps assume that you have administrative access to the database or appropriate privileges.
- 1.
Identify the database name or instance for which you need to enable logging.
- 2.
Connect to the database server using a database client or command line tool with administrative privileges.
- 3.
Execute the relevant command or query to enable database logging. The exact command will depend on the specific DBMS being used. Examples of database logging commands for commonly used DBMSs are provided below:
Microsoft SQL Server:
- Enable transaction log and activity logging:
This command sets the database recovery model to Full, allowing transaction logs to be saved. Additionally, configure the required log retention period and other related settings as per your organization's policies.ALTER DATABASE [database_name] SET RECOVERY FULL;
Oracle Database:
- Enable fine-grained auditing for database objects:
This command enables auditing for all tables. Adjust the audit configuration according to your specific requirements.AUDIT ALL TABLES BY ACCESS;- Enable database-level auditing:
This command enables auditing at the database level. Customize the audit settings as necessary.ALTER DATABASE [database_name] AUDIT;
MySQL/MariaDB:
- Enable general query logging: Edit the MySQL configuration file (usually
ormy.cnf
), locate themy.ini
section, and add the following line:[mysqld]
Save the file and restart the MySQL/MariaDB service to activate the logging.general_log = 1
PostgreSQL:
- Enable logging: Edit the PostgreSQL configuration file (
), locate thepostgresql.conf
parameter, and set it tologging_collector
:on
Save the file and restart the PostgreSQL service for the changes to take effect.logging_collector = on
- 4.
Verify that database logging is enabled by performing a test operation (such as inserting or updating data) and checking if the corresponding logs or audit records are generated.
- 5.
Validate the effectiveness of the logging mechanism by reviewing and analyzing the generated logs regularly. Ensure that the logs are securely stored and protected against tampering or unauthorized access.
Conclusion
Enabling database logging is a crucial step in achieving compliance with the FedRAMP Moderate guidelines. By following the appropriate remediation steps outlined above, you can ensure that database activities are effectively logged and provide valuable insights into the security posture of your system. Regular monitoring and review of the generated logs help in proactive threat detection and incident response.