080 – Prevent log modification

Summary

System logs must not allow modifications or alterations.

Description

Logs are used to analyze a system's behavior. They help detect errors and suspicious activity, and often hold very sensitive information. Therefore, they should be protected so that no unauthorized actor can modify them, since this could prevent a vulnerability or a breach from being noticed in a timely manner.

Supported In

Essential: True

Advanced: True

References

• CAPEC-161. Infrastructure manipulation
• OWASP10-A1. Broken access control
• CERTJ-IDS03-J. Do not log unsanitized user input
• PADSS-5_2_8. Improper access controls
• CMMC-AC_L2-3_1_7. Privileged functions
• CMMC-AU_L2-3_3_8. Audit protection
• HITRUST-06_c. Protection of organizational records
• HITRUST-09_ab. Monitoring system use
• HITRUST-09_ac. Protection of log information
• FEDRAMP-AU-12_3. Audit regeneration - Changes by authorized individuals
• FEDRAMP-CA-7. Continuous monitoring
• ISO27002-5_33. Protection of records
• ISO27002-8_15. Logging
• IEC62443-SI-3_9. Protection of audit information
• OSSTMM3-11_17_2. Data networks security (alert and log review) - Storage and retrieval
• ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
• ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)
• PTES-7_4_2_12. Post exploitation - Pillaging (monitoring and management)
• BSAFSS-LO_2-2. Implement securely logging mechanisms
• NIST800171-3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion
• ASVS-7_3_3. Log protection
• PCI-10_3_2. Audit logs are protected from destruction and unauthorized modifications
• SIGLITE-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
• SIG-M_1_14. End user device security
• SIG-U_1_4_2. Server security
• SIG-U_1_9_9. Server security
• ASVS-7_3_1. Log protection
• ISO27001-5_33. Protection of records
• ISO27001-8_15. Logging
• CASA-7_3_1. Log Protection
• CASA-7_3_3. Log Protection
• RESOLSB-Art_26_11_g. Information Security
• NIST-DE_AE-02. Potentially adverse events are analyzed to better understand associated activities
• NIST-RS_AN-07. Incident data and metadata are collected, and their integrity and provenance are preserved

Weaknesses

• 394 – Insufficient data authenticity validation - Cloudtrail Logs
• 091 – Log injection

Last updated

2024/03/05