Security Logging Best Practice
- Robert Heinemann
Logging Practice Requirements (Proposed)
ID | Type | Description | Reference |
|---|---|---|---|
CON-LOG-REQ-19 | REQUIRED | The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. Sync time source The container MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible to eliminate ambiguity owing to daylight savings time. | |
CON-LOG-REQ-20 | REQUIRED | The container and container application MUST use the STDOUT for security logs collection | |
CON-LOG-REQ-F1 | REQUIRED | Using systems and applications with native logging functionality is essential. This function MUST be taken into account during any design and development process. | |
CON-LOG-REQ-F6 | REQUIRED | The container application SHALL contextualize events (log enrichment) e.g: Timestamp, IP address having generated the logs, user concerned, functionality concerned, error of application, detail of the error, all access to a resource, success of application, etc… | |
CON-LOG-REQ-13 | REQUIRED | The container MUST have security logging for the container and container application active from initialization. | |
CON-LOG-REQ-15 | REQUIRED | The container MUST detect when its security audit log storage medium is approaching capacity (configurable) and issue an alarm. | |
CON-LOG-REQ-F9 | REQUIRED | An event log rotation policy MUST be formalized and implemented on all logging system equipment. | |
CON-LOG-REQ-18 | REQUIRED | The container MUST support the storage of security audit logs for a configurable period of time. | |
CON-LOG-REQ-16 | REQUIRED | The container MUST support the capability of online storage of security audit logs. | |
CON-LOG-REQ-F8 | REQUIRED | A disk partition MUST be dedicated to storing event logs on the equipment that generates them | |
CON-LOG-REQ-F7 | REQUIRED | Logs MUST be automatically exported to a different physical machine than the one that generated them | |
CON-LOG-REQ-F2 | REQUIRED | It is recommended that no processing MUST be performed on the logs before they are transferred. (no classification, it is not the behavior of an application to define the categories of an event) Note: this needs to be converted into a requirement | |
CON-LOG-REQ-F5 | RECOMMENDED | It is recommended the container application SHOULD adopt a tree structure for the storage of event logs. | |
CON-LOG-REQ-14 | REQUIRED | The container MUST protect all security audit logs by standard operating system access control mechanisms, by sending to a remote system, or by encryption. | |
CON-LOG-REQ-F4 CON-LOG-REQ-F10 | REQUIRED | Access to logs MUST be write restricted to a limited number of accounts with a need to know | |
CON-LOG-REQ-21 | RECOMMENDED | The container SHOULD provide the capability of maintaining the integrity of its static files using a cryptographic method. (Fabian) Propose to remove because this is a hardening requirement, not a logging requirement (Bob) Instead of removing this is now in the Best Practices category and we can make it a recommendation. | |
CON-LOG-REQ-12 CON-LOG-REQ-XX | REQUIRED | The container and container application MUST NOT include an authentication credential, e.g., password, in the security audit logs, even if encrypted. The container and container application MUST NOT include a sensitive information in the log | |
CON-LOG-REQ-17 | REQUIRED | The container MUST generate security audit logs that can be sent to Security Analytics Tools for analysis. | |