Back

Configure Logging settings in accordance with organizational standards.


CONTROL ID
07611
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure "CloudTrail" to organizational standards., CC ID: 15443
  • Configure "CloudTrail log file validation" to organizational standards., CC ID: 15437
  • Configure "VPC flow logging" to organizational standards., CC ID: 15436
  • Configure "object-level logging" to organizational standards., CC ID: 15433
  • Configure "Turn on PowerShell Transcription" to organizational standards., CC ID: 15415
  • Configure "Turn on PowerShell Script Block Logging" to organizational standards., CC ID: 15413
  • Configure "Audit PNP Activity" to organizational standards., CC ID: 15393
  • Configure "Include command line in process creation events" to organizational standards., CC ID: 15358
  • Configure "Audit Group Membership" to organizational standards., CC ID: 15341
  • Configure the "audit_backlog_limit" setting to organizational standards., CC ID: 15324
  • Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards., CC ID: 14467
  • Configure the "systemd-journald" to organizational standards., CC ID: 15326
  • Configure the "/etc/docker" files and directories auditing to organizational standards., CC ID: 14459
  • Configure the "docker.socket" files and directories auditing to organizational standards., CC ID: 14458
  • Configure the "docker.service" files and directories auditing to organizational standards., CC ID: 14454
  • Configure the "/var/lib/docker" files and directories auditing to organizational standards., CC ID: 14453
  • Configure the "/usr/sbin/runc" files and directories auditing to organizational standards., CC ID: 14452
  • Configure the "/usr/bin/containerd" files and directories auditing to organizational standards., CC ID: 14451
  • Configure the "/etc/default/docker" files and directories auditing to organizational standards., CC ID: 14450
  • Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards., CC ID: 14449
  • Provide the reference database used to verify input data in the logging capability., CC ID: 15018
  • Configure the storage parameters for all logs., CC ID: 06330
  • Configure the "Audit Policy: Object Access: SAM" to organizational standards., CC ID: 07612
  • Configure the security parameters for all logs., CC ID: 01712
  • Configure the "Audit Policy: Account Management: User Account Management" to organizational standards., CC ID: 07613
  • Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc., CC ID: 06331
  • Configure the "Audit Policy: System: System Integrity" to organizational standards., CC ID: 07652
  • Configure all logs to capture auditable events or actionable events., CC ID: 06332
  • Configure the "Audit Policy: Object Access: File Share" to organizational standards., CC ID: 07655
  • Configure the event log settings for specific Operating System functions., CC ID: 06337
  • Configure the "Audit Policy: Object Access: Registry" to organizational standards., CC ID: 07658
  • Configure additional log settings., CC ID: 06333
  • Configure the "Audit Policy: Logon-Logoff: Logoff" to organizational standards., CC ID: 07662
  • Configure additional log file parameters appropriately., CC ID: 06338
  • Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to organizational standards., CC ID: 07664
  • Configure the "Background upload of a roaming user profile's registry file while user is logged on" setting to organizational standards., CC ID: 10761
  • Configure the "Audit Policy: Object Access: File System" to organizational standards., CC ID: 07666
  • Configure the "Backup log automatically when full" setting for the "setup log" to organizational standards., CC ID: 10762
  • Configure the "Audit Policy: Logon-Logoff: Logon" to organizational standards., CC ID: 07669
  • Configure the "Applications preference logging and tracing" setting to organizational standards., CC ID: 10774
  • Configure the "Audit Policy: Account Logon: Kerberos Authentication Service" to organizational standards., CC ID: 07679
  • Configure the "Data Sources preference logging and tracing" setting to organizational standards., CC ID: 10779
  • Configure the "Audit Policy: Logon-Logoff: IPsec Extended Mode" to organizational standards., CC ID: 07683
  • Configure the "Devices preference logging and tracing" setting to organizational standards., CC ID: 10782
  • Configure the "Audit Policy: Object Access: Handle Manipulation" to organizational standards., CC ID: 07684
  • Configure the "Drive Maps preference logging and tracing" setting to organizational standards., CC ID: 10783
  • Configure the "Audit Policy: Object Access: Detailed File Share" to organizational standards., CC ID: 07687
  • Configure the "Environment preference logging and tracing" setting to organizational standards., CC ID: 10784
  • Configure the "Audit Policy: Logon-Logoff: Network Policy Server" to organizational standards., CC ID: 07701
  • Configure the "Files preference logging and tracing" setting to organizational standards., CC ID: 10785
  • Configure the "Audit Policy: Detailed Tracking: Process Creation" to organizational standards., CC ID: 07707
  • Configure the "Folder Options preference logging and tracing" setting to organizational standards., CC ID: 10786
  • Configure the "Audit Policy: System: IPsec Driver" to organizational standards., CC ID: 07708
  • Configure the "Folders preference logging and tracing" setting to organizational standards., CC ID: 10787
  • Configure the "Audit Policy: Logon-Logoff: Account Lockout" to organizational standards., CC ID: 07713
  • Configure the "Ini Files preference logging and tracing" setting to organizational standards., CC ID: 10788
  • Configure the "Audit Policy: Object Access: Kernel Object" to organizational standards., CC ID: 07720
  • Configure the "Internet Settings preference logging and tracing" setting to organizational standards., CC ID: 10789
  • Configure the "Audit Policy: Object Access: Other Object Access Events" to organizational standards., CC ID: 07724
  • Configure the "Local Users and Groups preference logging and tracing" setting to organizational standards., CC ID: 10793
  • Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards., CC ID: 07734
  • Configure the "Regional Options preference logging and tracing" setting to organizational standards., CC ID: 10802
  • Configure the "Audit Policy: Policy Change: Audit Policy Change" to organizational standards., CC ID: 07735
  • Configure the "Audit Policy: DS Access: Directory Service Changes" to organizational standards., CC ID: 07736
  • Configure the "Registry preference logging and tracing" setting to organizational standards., CC ID: 10803
  • Configure the "Audit Policy: Object Access: Certification Services" to organizational standards., CC ID: 07742
  • Configure the "Scheduled Tasks preference logging and tracing" setting to organizational standards., CC ID: 10815
  • Configure the "Maximum Log Size (KB)" to organizational standards., CC ID: 07744
  • Configure the "Services preference logging and tracing" setting to organizational standards., CC ID: 10818
  • Configure the "Audit Policy: Detailed Tracking: DPAPI Activity" to organizational standards., CC ID: 07746
  • Configure the "Shortcuts preference logging and tracing" setting to organizational standards., CC ID: 10819
  • Configure the "Audit Policy: Account Management: Other Account Management Events" to organizational standards., CC ID: 07751
  • Configure the "Start Menu preference logging and tracing" setting to organizational standards., CC ID: 10821
  • Configure the "Audit Policy: Account Management: Computer Account Management" to organizational standards., CC ID: 07752
  • Configure the "Delete data from devices running Microsoft firmware when a user logs off from the computer." setting to organizational standards., CC ID: 10846
  • Configure the "Audit Policy: Privilege Use: Non Sensitive Privilege Use" to organizational standards., CC ID: 07756
  • Configure the "Disable logging via package settings" setting to organizational standards., CC ID: 10864
  • Configure the "Audit Policy: Object Access: Application Generated" to organizational standards., CC ID: 07757
  • Configure the "Do not forcefully unload the users registry at user logoff" setting to organizational standards., CC ID: 10930
  • Configure the "Audit Policy: DS Access: Detailed Directory Service Replication" to organizational standards., CC ID: 07764
  • Configure the "Do not log users on with temporary profiles" setting to organizational standards., CC ID: 10931
  • Configure the "Audit Policy: Privilege Use: Other Privilege Use Events" to organizational standards., CC ID: 07776
  • Configure the "Log Access" setting for the "application log" to organizational standards., CC ID: 11026
  • Configure the "Audit Policy: Account Logon: Kerberos Service Ticket Operations" to organizational standards., CC ID: 07786
  • Configure the "Log Access" setting for the "setup log" to organizational standards., CC ID: 11027
  • Configure the "Audit Policy: DS Access: Directory Service Access" to organizational standards., CC ID: 07790
  • Configure the "Log Access" setting for the "system log" to organizational standards., CC ID: 11028
  • Configure the "Retain old events" to organizational standards., CC ID: 07791
  • Configure the "Log directory pruning retry events" setting to organizational standards., CC ID: 11029
  • Configure the "Audit: Audit the use of Backup and Restore privilege" to organizational standards., CC ID: 07792
  • Configure the "Log event when quota limit exceeded" setting to organizational standards., CC ID: 11030
  • Configure the "Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change" to organizational standards., CC ID: 07793
  • Configure the "Log File Path" setting for the "application log" to organizational standards., CC ID: 11033
  • Configure the "Audit Policy: Policy Change: Other Policy Change Events" to organizational standards., CC ID: 07810
  • Configure the "Log File Path" setting for the "setup log" to organizational standards., CC ID: 11034
  • Configure the "Log File Path" setting for the "system log" to organizational standards., CC ID: 11035
  • Configure the "Audit: Shut down system immediately if unable to log security audits" to organizational standards., CC ID: 07812
  • Configure the "Logging" setting to organizational standards., CC ID: 11036
  • Configure the "Audit Policy: System: Other System Events" to organizational standards., CC ID: 07817
  • Configure the "Remove "Disconnect" option from Shut Down dialog" setting to organizational standards., CC ID: 11126
  • Configure the "Audit Policy: Account Management: Application Group Management" to organizational standards., CC ID: 07819
  • Configure the "Remove browse dialog box for new source" setting to organizational standards., CC ID: 11127
  • Configure the "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to organizational standards., CC ID: 07820
  • Configure the "Restricts the UI language Windows uses for all logged users" setting to organizational standards., CC ID: 11147
  • Configure the "Audit Policy: Account Logon: Other Account Logon Events" to organizational standards., CC ID: 07825
  • Configure the "Set roaming profile path for all users logging onto this computer" setting to organizational standards., CC ID: 11182
  • Configure the "Audit Policy: Account Management: Distribution Group Management" to organizational standards., CC ID: 07828
  • Configure the "Set the Time interval in minutes for logging accounting data" setting to organizational standards., CC ID: 11193
  • Configure the "Audit: Audit the access of global system objects" to organizational standards., CC ID: 07831
  • Configure the "Turn off Resultant Set of Policy logging" setting to organizational standards., CC ID: 11307
  • Configure the "Audit Policy: Logon-Logoff: Special Logon" to organizational standards., CC ID: 07835
  • Configure the "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" setting to organizational standards., CC ID: 11343
  • Configure the "Audit Policy: Detailed Tracking: RPC Events" to organizational standards., CC ID: 07840
  • Configure the "Turn on extensive logging for Password Synchronization" setting to organizational standards., CC ID: 11344
  • Configure the "Audit Policy: Policy Change: Authentication Policy Change" to organizational standards., CC ID: 07846
  • Configure the "Turn on logging" setting to organizational standards., CC ID: 11345
  • Configure the "Audit Policy: Detailed Tracking: Process Termination" to organizational standards., CC ID: 07849
  • Configure the "Turn on session logging" setting to organizational standards., CC ID: 11350
  • Configure the "Audit Policy: Logon-Logoff: IPsec Quick Mode" to organizational standards., CC ID: 07852
  • Configure the "Audit Policy: Object Access: Filtering Platform Packet Drop" to organizational standards., CC ID: 07856
  • Configure the "Audit Policy: Object Access: Filtering Platform Connection" to organizational standards., CC ID: 07864
  • Configure the "Audit Policy: Policy Change: Authorization Policy Change" to organizational standards., CC ID: 07875
  • Configure the "Audit Policy: Account Management: Security Group Management" to organizational standards., CC ID: 07880
  • Configure the "Audit Policy: Privilege Use: Sensitive Privilege Use" to organizational standards., CC ID: 07887
  • Configure the "Audit Policy: Logon-Logoff: IPsec Main Mode" to organizational standards., CC ID: 07888
  • Configure the "Audit Policy: Account Logon: Credential Validation" to organizational standards., CC ID: 07892
  • Configure the "Audit Policy: Policy Change: Filtering Platform Policy Change" to organizational standards., CC ID: 07895
  • Configure the "Audit Policy: Logon-Logoff: Other Logon/Logoff Events" to organizational standards., CC ID: 07899
  • Configure the "Audit Policy: System: Security State Change" to organizational standards., CC ID: 07903
  • Configure the "Audit Policy: System: Security System Extension" to organizational standards., CC ID: 07904
  • Configure the "Audit account logon events" to organizational standards., CC ID: 08188
  • Configure the "Retention method for security log" to organizational standards., CC ID: 08197
  • Configure the "Retention method for system log" to organizational standards., CC ID: 08211
  • Configure the "Audit logon events" to organizational standards., CC ID: 08221
  • Configure the "Retention method for application log" to organizational standards., CC ID: 08226
  • Configure the "Retain security log" to organizational standards., CC ID: 08241
  • Configure the "Audit system events" to organizational standards., CC ID: 08244
  • Configure the "Retain application log" to organizational standards., CC ID: 08246
  • Configure the "Prevent local guests group from accessing application log" to organizational standards., CC ID: 08248
  • Configure the "Maximum security log size" to organizational standards., CC ID: 08251
  • Configure the "Retain system log" to organizational standards., CC ID: 08258
  • Configure the "Audit privilege use" to organizational standards., CC ID: 08266
  • Configure the "Audit policy change" to organizational standards., CC ID: 08272
  • Configure the "Audit object access" to organizational standards., CC ID: 08278
  • Configure the "Audit process tracking" to organizational standards., CC ID: 08283
  • Configure the "Maximum system log size" to organizational standards., CC ID: 08286
  • Configure the "Maximum application log size" to organizational standards., CC ID: 08296
  • Configure the "Prevent local guests group from accessing security log" to organizational standards., CC ID: 08297
  • Configure the "Audit directory service access" to organizational standards., CC ID: 08304
  • Configure the "Audit account management" to organizational standards., CC ID: 08316
  • Configure the "Prevent local guests group from accessing system log" to organizational standards., CC ID: 08336
  • Configure the "Specify the maximum log file size (KB)" to organizational standards., CC ID: 08352
  • Configure the "Message tracking logging - Mailbox" to organizational standards., CC ID: 08360
  • Configure the "Turn on Connectivity logging" to organizational standards., CC ID: 08398
  • Configure the "Windows Firewall: Domain: Logging: Size limit (KB)" to organizational standards., CC ID: 08405
  • Configure the "Control Event Log behavior when the log file reaches its maximum size" to organizational standards., CC ID: 08444
  • Configure the "Windows Firewall: Private: Logging: Log dropped packets" to organizational standards., CC ID: 08445
  • Configure the "Windows Firewall: Public: Logging: Log dropped packets" to organizational standards., CC ID: 08454
  • Configure the "Configure Protocol logging" to organizational standards., CC ID: 08463
  • Configure the "Message tracking logging - Transport" to organizational standards., CC ID: 08477
  • Configure the "Windows Firewall: Domain: Logging: Log dropped packets" to organizational standards., CC ID: 08501
  • Configure the "Audit Policy: Object Access: Removable Storage" to organizational standards., CC ID: 08504
  • Configure the "Windows Firewall: Domain: Logging: Name" to organizational standards., CC ID: 08543
  • Configure the "Windows Firewall: Public: Logging: Log successful connections" to organizational standards., CC ID: 08545
  • Configure the "Audit Policy: Object Access: Central Access Policy Staging" to organizational standards., CC ID: 08558
  • Configure the "Windows Firewall: Public: Logging: Name" to organizational standards., CC ID: 08565
  • Configure the "Windows Firewall: Private: Logging: Size limit (KB)" to organizational standards., CC ID: 08606
  • Configure the "kernel arguments" setting for "auditing early in the boot process" to organizational standards., CC ID: 08749
  • Configure the "record date and time modification events" setting for "auditing" to organizational standards., CC ID: 08750
  • Configure the "record user/group information modification events" setting for "auditing" to organizational standards., CC ID: 08751
  • Configure the "record changes to the system network environment" setting for "auditing" to organizational standards., CC ID: 08752
  • Configure the "record changes to the system's mandatory access controls" setting for "auditing" to organizational standards., CC ID: 08753
  • Configure the "record logon and logout events" setting for "auditing" to organizational standards., CC ID: 08754
  • Configure the "record process and session initiation events" setting for "auditing" to organizational standards., CC ID: 08755
  • Configure the "record changes to discretionary access control permissions" setting for "auditing" to organizational standards., CC ID: 08756
  • Configure the "record unauthorized attempts to access files" setting for "auditing" to organizational standards., CC ID: 08757
  • Configure the "record use of privileged commands" setting for "auditing" to organizational standards., CC ID: 08758
  • Configure the "record data export to media events" setting for "auditing" to organizational standards., CC ID: 08759
  • Configure the "record file and program deletion events" setting for "auditing" to organizational standards., CC ID: 08760
  • Configure the "record administrator and security personnel action events" setting for "auditing" to organizational standards., CC ID: 08761
  • Configure the "record kernel module loading and unloading events" setting for "auditing" to organizational standards., CC ID: 08762
  • Configure the "Ensure auditd configuration is immutable" setting for "auditing" to organizational standards., CC ID: 08763
  • Configure the "audit file ownership changes" setting to organizational standards., CC ID: 08966
  • Configure the "audit change user functions" setting to organizational standards., CC ID: 08982
  • Configure the "audit the use of chmod command" setting to organizational standards., CC ID: 08983
  • Configure the "audit the chown command" setting to organizational standards., CC ID: 08984
  • Configure the "Collect Session Initiation Information" setting to organizational standards., CC ID: 09948
  • Configure the "Collect Discretionary Access Control Permission Modification Events" setting to organizational standards., CC ID: 09949
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Fault Tolerant Heap" to organizational standards., CC ID: 10808
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Boot Performance Diagnostics" to organizational standards., CC ID: 10809
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Memory Leak Diagnosis" to organizational standards., CC ID: 10810
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Resource Exhaustion Detection and Resolution" to organizational standards., CC ID: 10811
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Shutdown Performance Diagnostics" to organizational standards., CC ID: 10812
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Standby/Resume Performance Diagnostics" to organizational standards., CC ID: 10813
  • Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows System Responsiveness Diagnostics" to organizational standards., CC ID: 10814
  • Configure the "Default quota limit and warning level" setting to organizational standards., CC ID: 10840
  • Configure the "Detect application failures caused by deprecated COM objects" setting to organizational standards., CC ID: 10851
  • Configure the "Detect application failures caused by deprecated Windows DLLs" setting to organizational standards., CC ID: 10852
  • Configure the "Detect application install failures" setting to organizational standards., CC ID: 10853
  • Configure the "Detect application installers that need to be run as administrator" setting to organizational standards., CC ID: 10854
  • Configure the "Detect applications unable to launch installers under UAC" setting to organizational standards., CC ID: 10855
  • Configure the "Diagnostics: Configure scenario execution level" setting to organizational standards., CC ID: 10856
  • Configure the "Disk Diagnostic: Configure execution level" setting to organizational standards., CC ID: 10883
  • Configure the "Log event when quota warning level exceeded" setting to organizational standards., CC ID: 11031
  • Configure the "Log File Debug Output Level" setting to organizational standards., CC ID: 11032
  • Configure the "Microsoft Support Diagnostic Tool: Configure execution level" setting to organizational standards., CC ID: 11043
  • Configure the "Primary DNS Suffix Devolution Level" setting to organizational standards., CC ID: 11096
  • Configure the "Require user authentication for remote connections by using Network Level Authentication" setting to organizational standards., CC ID: 11138
  • Configure the "Specify channel binding token hardening level" setting to organizational standards., CC ID: 11209
  • Configure the "Update Security Level" setting to organizational standards., CC ID: 11357
  • Configure the "Update Top Level Domain Zones" setting to organizational standards., CC ID: 11358


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Ensuring that logs or audit trails, as required, are enabled and monitored for the applications (Critical components of information security 11) c.2. Bullet 10, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized… (Critical components of information security 17) xiv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must establish and maintain logging requirements, including the log server availability requirements. (Control: 0580 Bullet 1 Dash 1, Australian Government Information Security Manual: Controls)
  • The organization must establish and maintain logging requirements, including reliably delivering the log information to the log server. (Control: 0580 Bullet 1 Dash 2, Australian Government Information Security Manual: Controls)
  • The types of events and information that should be logged should be based on the results of a risk assessment. (§ 3.7.13, Australian Government ICT Security Manual (ACSI 33))
  • Logs must be kept of the processing steps that were performed, especially the modifications, consultations, and transmissions, and the steps can be traced with regard to permissibility. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate lev… (§ 14(2)7, § 14(3), Austria Data Protection Act)
  • Auditing and logging should be enabled. Auditing captures successful and unsuccessful security-related events. Mac OS X provides a suite of auditing tools, but they require an optional installation. Logging records messages about the status of the system, not all of which are security-related. (Pg 131, Pg 132, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Ensure that the audit policy covers key security concerns Description: Ensure that the audit policy created for the cluster covers key security concerns. Rationale: Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a… (3.2.2, The Center for Internet Security Kubernetes Level 2 Master Node Benchmark, v 1.6.0)
  • Logs are a valuable resource when tracking security incidents. Logging should be enabled on all systems. By default, the logs are located in /var/log. The following line should be added to the /etc/syslog.conf file: @your.log.host (your.log.host is the name of the log server). This will enable the l… (§ 2.11, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • Novell Audit can track events on a NetWare server, eDirectory, and other computers and networks. It can run on NetWare 5.1 or later, Windows 2000 or later, Solaris, SUSE Enterprise Linux, and Red Hat Enterprise Linux operating systems. Novell Audit should be enabled and used for auditing purposes. (§ 3.1, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Logging should be enabled and configured. (§ 1.2 (2.3.1.130), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • A log of backed up data should be maintained with reference to the storage media. (¶ 19.6 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
  • Procedures for the monitoring and logging of wireless traffic, and unexpected network events, must be defined and implemented; this is considered essential to detect potential attacks. (§ 3-2, MasterCard Wireless LANs - Security Risks and Guidelines, December 2004)
  • Verify through observation that audit trails are enabled and active for system components. (§ 10.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify through interviewing the System Administrator that audit trails are enabled and active for system components. (§ 10.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Audit trails and logging must be enabled and unique to each entity's cardholder data environment and consistent with requirement 10 in the Payment Card Industry Data Security Standard when using a shared hosting provider. (App A Requirements § A.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Verify the shared hosting provider has enabled logging for common third party applications for each merchant and service provider environment. (App A Testing Procedures § A.1.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Examine the anti-virus configurations, including the master installation, to verify that log generation is enabled. (Testing Procedures § 5.2.d Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview and observe the system administrator to verify audit trails have been enabled and are active for each system component. (Testing Procedures § 10.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify through observation that audit trails are enabled and active for system components. (§ 10.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify through interviewing the system administrator that audit trails are enabled and active for system components. (§ 10.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Record at least the following audit trail entries for all system components for each event: (§ 10.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Record at least the following audit trail entries for all system components for each event: (PCI DSS Requirements § 10.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. (5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. (5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are automated audit trails implemented for all system components to reconstruct the following events: (10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are audit trails enabled and active for system components? (10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are audit trails enabled and active for system components? (10.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? (A.1.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are audit trails enabled and active for system components? (10.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that: - Anti-virus software log generation is enabled, and - Logs are retained in accordance with PCI DSS Requirement 10.7. (5.2.d, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The application should have the ability to audit all activities and be able to link the activity to a unique individual. (§ 4.1, § 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • For each merchant and service provider environment, are logs enabled for common third-party applications? (PCI DSS Question A.1.3(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For each merchant and service provider environment, are logs active by default? (PCI DSS Question A.1.3(b) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For each merchant and service provider environment, are logs available for review by the owning entity? (PCI DSS Question A.1.3(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For each merchant and service provider environment, are log locations clearly communicated to the owning entity? (PCI DSS Question A.1.3(b) Bullet 4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Ensure that any audit or logging capability is enabled. Additionally, regularly inspect system logs and reports for abnormal activity. If abnormal activity is suspected or discovered, discontinue access to the mobile device and its payment application until the issue has been resolved. Abnormal acti… (¶ 6.5.2, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Security-related event logging should be enabled at all times. (CF.10.04.06a, The Standard of Good Practice for Information Security)
  • Security-related event logging should be enabled at all times. (CF.10.04.06a, The Standard of Good Practice for Information Security, 2013)
  • Returning to the OWASP Top 10 2021, this category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. (A09:2021 ? Security Logging and Monitoring Failures, OWASP Top 10 - 2021)
  • Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 day… (A10:2017-Insufficient Logging & Monitoring, OWASP Top 10, 2017)
  • Auditing and logging should be enabled at a sufficient level before an incident occurs. (Action 1.8.5, SANS Computer Security Incident Handling, Version 2.3.1)
  • The proxy on the Demilitarized Zone network should log individual Transmission Control Protocol sessions. (Critical Control 13.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • ¶ 8.1.5(6) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(6), ¶ 8.2.2(5), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • All modifications to the product should be auditable. The name of the person making the change, the date of the change, and the time of the change should be captured in the audit trail. (§ 13.2, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • All modifications to the product should be auditable. The name of the person making the change, the date of the change, and the time of the change should be captured in the audit trail. (§ 13.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • Auditing and logging of events should be enabled. (§ 10.10.1, § 10.10.4, § 10.10.5, ISO 27002 Code of practice for information security management, 2005)
  • The cloud service provider should identify the requirements for any utility programs used within the cloud service. The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and … (§ 9.4.4 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignme… (AU-12(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • When windows Internet Information Services is used for web services, is logging configured to support incident investigation? (§ G.21.2.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When Apache is used for web services, is logging configured to support incident investigation? (§ G.21.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Table F-1: For Windows 2000 Server, the organization must configure the system per the NIST SP 800-53 audit control requirements. Table F-2: For Windows 2003 Server, the organization must configure the system per the NIST SP 800-53 audit control requirements. Table F-3: For Windows 2000 Professional… (Table F-1, Table F-2, Table F-3, Table F-4, Table F-5, Table F-6, Table F-7, Table F-8, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • The System Administrator should configure the system to log all system activity. Logs should be reviewed on a weekly basis to ensure the FTP system-to-system accounts have not been compromised. If unauthorized access is detected, the password should be changed immediately. (§ 3.5, § 8.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • Auditing allows system administrators the ability to track information about specific users and processes. The system administrator should ensure auditing is implemented and configured. The following events should be audited for all users and root: unsuccessful and successful logons; successful logo… (§ 3.3, § 3.16, § 8.2, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Accounting and auditing must be enabled on remote access servers and network access servers. Organizations must log user dial-in session statistics, at a minimum. (§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • System-level auditing should be set to Enabled. (§ 5.3.11.6, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • File and directory auditing should be configured to the Everyone group for all drives. System-level auditing should be Enabled. (§ 3.5.5 (4.008), § 3.6.1 (2.007), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • System-level auditing should be Enabled. (§ 5.3.12.3, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • MFD06.001 Fully enable auditing for MFD. MFD07.004 If Fax From Network is enabled, verify that the auditing of User Access and Fax Log is enabled. (MFD06.001, MFD07.004, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • A transaction log must record access and changes to data. (ECCD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Default setting. Technology must be set by default to perform the capabilities specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs (d)(2)(i)(B) and (d)(2)(i)(C) of this section. (§ 170.315 (d) (2) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • When electronic health information is created, modified, accessed, or deleted, the date, time, patient identification, user identification, actions that occurred, and identity of the person who did the action must be recorded. (§ 170.210(b), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
  • Enable logging (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly. (§ 5.13.1.1 ¶ 2(14), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Configures and reviews audit logs. (App A Objective 3:7f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Enables activity log settings (e.g., user access, failed login attempts, and security setting changes). (App A Objective 13:6h Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Configuration of logging to match the entity's risk and complexity of the entity and identify and address anomalies. (App A Objective 15:7c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensures that systems and software used to support entity operations have appropriate configuration management capabilities, including configuration of audit log settings, and enforces configuration management. (App A Objective 15:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification and disposition of false positives and adjustment of logging parameters to minimize the volume of false positives in future log review. (App A Objective 15:7a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [FedRAMP Assignment: all network, data storage, and computing devices] based on [Assignment: organization-defined selectable event criteria] within [As… (AU-12(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system generates audit records containing the following additional information: [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or i… (AU-3(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system generates audit records containing the following additional information: [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or i… (AU-3(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Generate audit records containing the following additional information: [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; chara… (AU-3(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Generate audit records containing the following additional information: [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; chara… (AU-3(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The system must be able to generate audit records for all security-relevant events. (§ 5.6.2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are the appropriate system auditing and logging functions enabled to capture audit trails that are related to network components? (IT - Security Program Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the server software have logging ability, and, if so, is it enabled? (IT - Servers Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the Credit Union enabled the logging feature on the Access Point? (IT - WLANS Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Implement the auditing and logging process. (§ 4.1.9 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Organizational records, documents, and the system configuration should be examined to ensure audit records are being generated for all defined events and specific responsibilities and actions are defined for the implementation of the auditable events control. Any problems discovered during the imple… (AU-2, AU-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignme… (AU-12(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid Information System should automatically audit the creation, modification, disabling, and termination of accounts and notifies the appropriate individual. (SG.AC-3 Additional Considerations A6, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The Information System must have the capability to remotely view and hear content related to established user sessions in real time. (App F § AU-14.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system provides the capability for authorized users to select a user session to capture/record or view/hear. (AU-14 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides the capability for authorized users to capture/record and log content related to a user session. (AU-14(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. (AU-14(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: {organizationally documented other actions}. (SI-7(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignme… (AU-12(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (AU-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignme… (AU-12(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. (AU-14(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides the capability for authorized users to select a user session to capture/record or view/hear. (AU-14 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides the capability for authorized users to capture/record and log content related to a user session. (AU-14(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system generates audit records containing the following additional information: [TX-RAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or i… (AU-3(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)