The system must log the exact occurrence time (date, hour, seconds, milliseconds and time zone) for each exceptional and security event.
Event logs must contain the exact time of occurrence in order to allow backtracking in an investigation.
- Once all the events to be logged are defined, the system must be configured so that these logs contain the date, hour, seconds, milliseconds and time zone of the event occurrence.
In a security incident scenario, event time and duration cannot be clearly identified due to the lack of detail in log records.
Layer: Application layer
Type of control: Procedure
CIS Controls. 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
CWE-778: Insufficient Logging: When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.
OWASP Top 10 A10:2017-Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1): Verify that a common logging format and approach is used across the system.
OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.4): Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.
OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.4): Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis.
PCI DSS v3.2.1 - Requirement 10.3: Record at least the following audit trail entries for all system components for each event: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component, or resource.