Enable logging for all security incidents involving directory services.
389-IRM-001 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-IRM-001 |
| Severity | high |
| Type | detective |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AU-2, IR-5 |
| DISA SRG | SRG-APP-000089, SRG-APP-000095 |
Rationale¶
Incident detection and forensic investigation both depend on complete, continuous logging across all three log streams: the access log records every bind, search, and LDAP operation; the error log captures server anomalies and replication failures; the audit log records every directory-data and configuration change. Without all three enabled, responders cannot reconstruct what an attacker accessed, what credentials were tested, or what configuration was altered - gaps in any stream make root-cause analysis and breach scope determination impossible after a security event. An attacker who authenticates with a compromised service account, queries sensitive attributes, and modifies group membership leaves evidence only in the access and audit logs; disabling either stream provides a ready-made blind spot. NIST SP 800-53 AU-2 requires that auditable events be identified and logged, and IR-5 requires tracking and documenting security incidents - neither requirement can be met without comprehensive, verified logging.
Check¶
Confirm that access, error, and audit logging are all enabled in cn=config.
dsconf <instance> config get nsslapd-accesslog-logging-enabled nsslapd-errorlog-logging-enabled nsslapd-auditlog-logging-enabled
Expected: nsslapd-accesslog-logging-enabled: on
Remediation¶
Enable access, error, and audit logging so all connection, bind, and change events are recorded.
dsconf <instance> config replace nsslapd-accesslog-logging-enabled=on nsslapd-errorlog-logging-enabled=on nsslapd-auditlog-logging-enabled=on
References¶
Implementation Notes¶
Run the check command against each 389DS instance; the output must show on
for all three attributes. The fix command applies all three in a single
dsconf call and takes effect without a server restart.
Log files land under /var/log/dirsrv/slapd-<instance>/ as access,
errors, and audit. To keep logs durable and useful during an incident,
pair this control with log rotation (389-LM-002) and central forwarding to a
SIEM (389-LM-003, 389-IRM-002). Enabling logs locally is the prerequisite;
correlation and detection come from the forwarding and alerting controls.