075 – Record exceptional events in logs

Summary

The system must register all exceptional and security events in logs.

Description

The organization must properly record the exceptional and security events in duly protected logs (confidentiality), considering that an event of this type should not show confidential or detailed information of the problem in error messages to prevent the use of that information by an attacker or malicious user. Recorded events allow error pages to display simple generic messages, alerting end users that an error has occurred, with some option to contact support. The details of how to address these problems should be kept securely stored in a previously defined log storage. When an event of this type is not properly recorded, a malicious behavior can be proven difficult to detect or a forensic analysis can be obstructed in case an attack is successful.

Supported In

Essential: True

Advanced: True

References

• CIS-8_2. Collect audit logs
• CIS-8_5. Collect detailed audit logs
• CWE-390. Detection of error condition without action
• CWE-221. Information loss or omission
• CWE-778. Insufficient logging
• GDPR-33_5. Notification of a personal data breach to the supervisory authority
• HIPAA-164_312_b. Standard: audit controls
• NERCCIP-007-6_R4_1. Security event monitoring
• OWASP10-A9. Security logging and monitoring failures
• NYDFS-500_14. Training and monitoring
• MITRE-M1029. Remote data storage
• PADSS-4_2_2. Actions taken by any individual with root or administrative privileges
• PADSS-4_2_4. Invalid logical access attempts
• PADSS-4_2_5. Changes to the application's identification and authentication mechanisms with root or administrative privileges
• PADSS-4_2_6. Initialization, stopping, or pausing of the application audit logs
• PADSS-4_2_7. Creation and deletion of system-level objects
• CMMC-AU_L2-3_3_1. System audit
• CMMC-AU_L2-3_3_2. User accountability
• CMMC-AU_L2-3_3_3. Event review
• CMMC-PE_L1-3_10_4. Physical access logs
• CMMC-CA_L2-3_12_3. Security control monitoring
• CMMC-SC_L2-3_13_4. Shared resource control
• CMMC-SI_L2-3_14_3. Security alerts & advisories
• CMMC-SI_L2-3_14_7. Identify unauthorized use
• HITRUST-03_a. Risk management program development
• HITRUST-06_c. Protection of organizational records
• HITRUST-09_aa. Audit logging
• HITRUST-09_ad. Administrator and operator logs
• HITRUST-13_s. Privacy monitoring and auditing
• FEDRAMP-CA-7. Continuous monitoring
• FEDRAMP-SI-5. Security alerts, advisories, and directives
• ISO27002-8_16. Monitoring activities
• IEC62443-UC-2_8. Auditable events
• OSSTMM3-9_17_2. Wireless security (alert and log review) - Storage and retrieval
• OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring
• ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
• ISSAF-H_16_5. Network security - Intrusion detection (logging systems)
• ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)
• MVSP-2_7. Application design controls - Logging
• OWASPSCP-7. Error handling and logging
• BSAFSS-LO_1-2. Logging of all critical security incident and event information
• BSAFSS-EE_1-3. Error and exception handling capabilities
• NIST800171-3_6. Provide audit record reduction
• NIST800171-4_3. Track, review and log changes to organizational systems
• NIST800115-3_2. Log review
• SWIFTCSC-6_4. Logging and monitoring
• OSAMM-OM. Operational Management
• ASVS-7_1_3. Log content
• ASVS-7_4_1. Error handling
• C2M2-1_4_i. Manage changes to IT and OT assets
• C2M2-4_2_i. Control logical access
• C2M2-5_2_e. Perform monitoring
• C2M2-6_1_f. Detect cybersecurity events
• PCI-5_3_4. Enable audit logs for the anti-malware solution
• PCI-10_2_1. Audit logs are enabled and active for all system components
• PCI-10_2_1_4. Audit logs are enabled and active for all system components
• SIGLITE-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
• SIG-H_2_11. Access control
• SIG-H_2_12. Access control
• SIG-I_1_9. Application security
• SIG-L_11_1. Compliance
• SIG-M_1_10. End user device security
• SIG-M_1_14. End user device security
• SIG-U_1_4. Server security
• ASVS-7_2_2. Log processing
• ASVS-7_4_2. Error handling
• ASVS-8_1_4. General data protection
• ISO27001-8_16. Monitoring activities
• CASA-7_1_3. Log Content
• CASA-9_2_5. Server Communication Security
• RESOLSB-Art_27_18. Security in Electronic Channels
• NIST-DE_CM-03. Personnel activity and technology usage are monitored to find potentially adverse events

Weaknesses

• 200 – Traceability loss
• 400 – Traceability Loss - AWS
• 402 – Traceability Loss - Azure
• 408 – Traceability Loss - API Gateway
• 419 – Traceability Loss - Kubernetes
• 064 – Traceability loss - Server's clock

Last updated

2024/03/05