Skip to content

Enable logging of configuration and user data changes.

389-LM-001 - severity: high

Field Value
Control ID 389-LM-001
Severity high
Type detective
Owner IT Operations
Status authored
NIST 800-53 AU-2, AU-12
DISA SRG SRG-APP-000089, SRG-APP-000095

Rationale

Without an audit log, every LDAP add, delete, modify, and MODrDN operation is invisible after the fact, eliminating the evidentiary trail required for breach investigation, insider-threat detection, and compliance review. An attacker or malicious insider who modifies directory data - adding accounts, weakening ACLs, or altering group memberships - can do so without any record to trigger forensic reconstruction. Enabling nsslapd-auditlog-logging-enabled causes 389DS to write a timestamped LDIF record for every successful change, while nsslapd-auditfaillog-logging-enabled captures rejected change attempts such as ACL violations, which reveal probing activity before a breach occurs. Together these logs satisfy the AU-2 (event identification) and AU-12 (audit record generation) requirements of NIST SP 800-53 and underpin the forensic depth expected by DISA SRG controls SRG-APP-000089 and SRG-APP-000095.

Check

Confirm that both the audit log and audit-fail log are enabled in cn=config.

dsconf <instance> config get nsslapd-auditlog-logging-enabled nsslapd-auditfaillog-logging-enabled

Expected: nsslapd-auditlog-logging-enabled: on

Remediation

Enable the audit log and audit-fail log so all directory changes and failed change attempts are recorded.

dsconf <instance> config replace nsslapd-auditlog-logging-enabled=on nsslapd-auditfaillog-logging-enabled=on

References

Implementation Notes

Audit logging is off by default in 389DS; it must be explicitly enabled. Toggling these logging attributes takes effect without a server restart. Audit logs land under /var/log/dirsrv/slapd-<instance>/ (filenames audit and audit-fail); the log path can be inspected or changed via the nsslapd-auditlog cn=config attribute. To avoid unbounded disk growth, pair this control with the log rotation and retention settings covered in 389-LM-002 and central forwarding in 389-LM-003.