Record exceptional events in logs
Summary
The system must register all exceptional and security events in logs.
Description
The organization must properly record the exceptional and security events in duly protected logs (confidentiality), considering that an event of this type should not show confidential or detailed information of the problem in error messages to prevent the use of that information by an attacker or malicious user. Recorded events allow error pages to display simple generic messages, alerting end users that an error has occurred, with some option to contact support. The details of how to address these problems should be kept securely stored in a previously defined log storage. When an event of this type is not properly recorded, a malicious behavior can be proven difficult to detect or a forensic analysis can be obstructed in case an attack is successful.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CIS-8_2. Collect audit logs
- CIS-8_5. Collect detailed audit logs
- CWE™-390. Detection of error condition without action
- CWE™-221. Information loss or omission
- CWE™-778. Insufficient logging
- GDPR-33_5. Notification of a personal data breach to the supervisory authority
- HIPAA-164_312_b. Standard: audit controls
- NERC CIP-007-6_R4_1. Security event monitoring
- OWASP TOP 10-A9. Security logging and monitoring failures
- NIST Framework-DE_AE-5. Incident alert thresholds are established
- NYDFS-500_14. Training and monitoring
- MITRE ATT&CK®-M1029. Remote data storage
- PA-DSS-4_2_2. Actions taken by any individual with root or administrative privileges
- PA-DSS-4_2_4. Invalid logical access attempts
- PA-DSS-4_2_5. Changes to the application's identification and authentication mechanisms with root or administrative privileges
- PA-DSS-4_2_6. Initialization, stopping, or pausing of the application audit logs
- PA-DSS-4_2_7. Creation and deletion of system-level objects
- CMMC-AU_L2-3_3_1. System audit
- CMMC-AU_L2-3_3_2. User accountability
- CMMC-AU_L2-3_3_3. Event review
- CMMC-PE_L1-3_10_4. Physical access logs
- CMMC-CA_L2-3_12_3. Security control monitoring
- CMMC-SC_L2-3_13_4. Shared resource control
- CMMC-SI_L2-3_14_3. Security alerts & advisories
- CMMC-SI_L2-3_14_7. Identify unauthorized use
- HITRUST CSF-03_a. Risk management program development
- HITRUST CSF-06_c. Protection of organizational records
- HITRUST CSF-09_aa. Audit logging
- HITRUST CSF-09_ad. Administrator and operator logs
- HITRUST CSF-13_s. Privacy monitoring and auditing
- FedRAMP-CA-7. Continuous monitoring
- FedRAMP-SI-5. Security alerts, advisories, and directives
- ISO/IEC 27002-8_16. Monitoring activities
- ISA/IEC 62443-UC-2_8. Auditable events
- OSSTMM3-9_17_2. Wireless security (alert and log review) - Storage and retrieval
- OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring
- ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
- ISSAF-H_16_5. Network security - Intrusion detection (logging systems)
- ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)
- MVSP-2_7. Application design controls - Logging
- OWASP SCP-7. Error handling and logging
- BSAFSS-LO_1-2. Logging of all critical security incident and event information
- BSAFSS-EE_1-3. Error and exception handling capabilities
- NIST 800-171-3_6. Provide audit record reduction
- NIST 800-171-4_3. Track, review and log changes to organizational systems
- NIST 800-115-3_2. Log review
- SWIFT CSCF-6_4. Logging and monitoring
- OWASP SAMM-OE_1. Enable communications for critical security-relevant data
- OWASP ASVS-7_1_3. Log content
- OWASP ASVS-7_4_1. Error handling
- C2M2-1_4_i. Manage changes to IT and OT assets
- C2M2-4_2_i. Control logical access
- C2M2-5_2_e. Perform monitoring
- C2M2-6_1_f. Detect cybersecurity events
- PCI DSS-5_3_4. Enable audit logs for the anti-malware solution
- PCI DSS-10_2_1. Audit logs are enabled and active for all system components
- PCI DSS-10_2_1_4. Audit logs are enabled and active for all system components
- SIG Lite-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
- SIG Core-H_2_11. Access control
- SIG Core-H_2_12. Access control
- SIG Core-I_1_9. Application security
- SIG Core-L_11_1. Compliance
- SIG Core-M_1_10. End user device security
- SIG Core-M_1_14. End user device security
- SIG Core-U_1_4. Server security
- OWASP ASVS-7_2_2. Log processing
- OWASP ASVS-7_4_2. Error handling
- OWASP ASVS-8_1_4. General data protection
- OWASP API Security Top 10-API10. Insufficient Logging & Monitoring
- ISO/IEC 27001-8_16. Monitoring activities
- CASA-7_1_3. Log Content
- CASA-9_2_5. Server Communication Security
- Resolution SB 2021 2126-Art_27_18. Security in Electronic Channels
Vulnerabilities
- 064. Traceability loss - Server's clock
- 200. Traceability loss
- 400. Traceability Loss - AWS
- 402. Traceability Loss - Azure
- 408. Traceability Loss - API Gateway
- 419. Traceability Loss - Kubernetes
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.