Summary

System logs must not allow modifications or alterations.

Description

Logs are used to analyze a system's behavior. They help detect errors and suspicious activity, and often hold very sensitive information. Therefore, they should be protected so that no unauthorized actor can modify them, since this could prevent a vulnerability or a breach from being noticed in a timely manner.

Supported In

This requirement is verified in following services

References

• CAPEC™-161. Infrastructure manipulation
• OWASP TOP 10-A1. Broken access control
• CERT-J-IDS03-J. Do not log unsanitized user input
• PA-DSS-5_2_8. Improper access controls
• CMMC-AC_L2-3_1_7. Privileged functions
• CMMC-AU_L2-3_3_8. Audit protection
• HITRUST CSF-06_c. Protection of organizational records
• HITRUST CSF-09_ab. Monitoring system use
• HITRUST CSF-09_ac. Protection of log information
• FedRAMP-AU-12_3. Audit regeneration - Changes by authorized individuals
• FedRAMP-CA-7. Continuous monitoring
• ISO/IEC 27002-5_33. Protection of records
• ISO/IEC 27002-8_15. Logging
• ISA/IEC 62443-SI-3_9. Protection of audit information
• OSSTMM3-11_17_2. Data networks security (alert and log review) - Storage and retrieval
• ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
• ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)
• PTES-7_4_2_12. Post exploitation - Pillaging (monitoring and management)
• BSAFSS-LO_2-2. Implement securely logging mechanisms
• NIST 800-171-3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion
• OWASP ASVS-7_3_3. Log protection
• PCI DSS-10_3_2. Audit logs are protected from destruction and unauthorized modifications
• SIG Lite-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
• SIG Core-M_1_14. End user device security
• SIG Core-U_1_4_2. Server security
• SIG Core-U_1_9_9. Server security
• OWASP ASVS-7_3_1. Log protection
• ISO/IEC 27001-5_33. Protection of records
• ISO/IEC 27001-8_15. Logging
• CASA-7_3_1. Log Protection
• CASA-7_3_3. Log Protection
• Resolution SB 2021 2126-Art_26_11_g. Information Security
• NIST CSF-DE_AE-02. Potentially adverse events are analyzed to better understand associated activities
• NIST CSF-RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved

Vulnerabilities

• 091.Log injection
• 394.Insufficient data authenticity validation - Cloudtrail Logs

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.