This rule ensures database logging is enabled for security and compliance purposes.
Rule | Database logging should be enabled |
Framework | FedRAMP Moderate Revision 4 |
Severity | ✔ Low |
Rule Description
The rule requires enabling database logging for systems operating at the FedRAMP Moderate level, as per Revision 4 of the FedRAMP guidelines. Enabling database logging helps in monitoring and recording all database activities for security analysis, auditing, and detecting potential security incidents.
Troubleshooting Steps
Remediation Steps
The remediation steps may vary depending on the specific database management system in use. The following steps provide a general guideline for enabling database logging:
Note: These steps assume that you have administrative access to the database or appropriate privileges.
Identify the database name or instance for which you need to enable logging.
Connect to the database server using a database client or command line tool with administrative privileges.
Execute the relevant command or query to enable database logging. The exact command will depend on the specific DBMS being used. Examples of database logging commands for commonly used DBMSs are provided below:
Microsoft SQL Server:
This command sets the database recovery model to Full, allowing transaction logs to be saved. Additionally, configure the required log retention period and other related settings as per your organization's policies.ALTER DATABASE [database_name] SET RECOVERY FULL;
Oracle Database:
This command enables auditing for all tables. Adjust the audit configuration according to your specific requirements.AUDIT ALL TABLES BY ACCESS;
This command enables auditing at the database level. Customize the audit settings as necessary.ALTER DATABASE [database_name] AUDIT;
MySQL/MariaDB:
my.cnf
or my.ini
), locate the [mysqld]
section, and add the following line:
Save the file and restart the MySQL/MariaDB service to activate the logging.general_log = 1
PostgreSQL:
postgresql.conf
), locate the logging_collector
parameter, and set it to on
:
Save the file and restart the PostgreSQL service for the changes to take effect.logging_collector = on
Verify that database logging is enabled by performing a test operation (such as inserting or updating data) and checking if the corresponding logs or audit records are generated.
Validate the effectiveness of the logging mechanism by reviewing and analyzing the generated logs regularly. Ensure that the logs are securely stored and protected against tampering or unauthorized access.
Conclusion
Enabling database logging is a crucial step in achieving compliance with the FedRAMP Moderate guidelines. By following the appropriate remediation steps outlined above, you can ensure that database activities are effectively logged and provide valuable insights into the security posture of your system. Regular monitoring and review of the generated logs help in proactive threat detection and incident response.