Prevent log modification

Summary

System logs must not allow modifications or alterations.

Description

Logs are used to analyze a system's behavior. They help detect errors and suspicious activity, and often hold very sensitive information. Therefore, they should be protected so that no unauthorized actor can modify them, since this could prevent a vulnerability or a breach from being noticed in a timely manner.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🟢
Squad	🟢

References

• CAPEC™-161. Infrastructure manipulation
• OWASP TOP 10-A1. Broken access control
• NIST Framework-PR_PT-1. Audit/log records are determined, documented, implemented and reviewed in accordance with policy
• NIST Framework-DE_AE-2. Detected events are analyzed to understand attack targets and methods
• CERT-J-IDS03-J. Do not log unsanitized user input
• PA-DSS-5_2_8. Improper access controls
• CMMC-AC_L2-3_1_7. Privileged functions
• CMMC-AU_L2-3_3_8. Audit protection
• HITRUST CSF-06_c. Protection of organizational records
• HITRUST CSF-09_ab. Monitoring system use
• HITRUST CSF-09_ac. Protection of log information
• FedRAMP-AU-12_3. Audit regeneration - Changes by authorized individuals
• FedRAMP-CA-7. Continuous monitoring
• ISO/IEC 27002-5_33. Protection of records
• ISO/IEC 27002-8_15. Logging
• ISA/IEC 62443-SI-3_9. Protection of audit information
• OSSTMM3-11_17_2. Data networks security (alert and log review) - Storage and retrieval
• ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
• ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)
• PTES-7_4_2_12. Post exploitation - Pillaging (monitoring and management)
• BSAFSS-LO_2-2. Implement securely logging mechanisms
• NIST 800-171-3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion
• OWASP ASVS-7_3_3. Log protection
• PCI DSS-10_3_2. Audit logs are protected from destruction and unauthorized modifications
• SIG Lite-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
• SIG Core-M_1_14. End user device security
• SIG Core-U_1_4_2. Server security
• SIG Core-U_1_9_9. Server security
• OWASP ASVS-7_3_1. Log protection
• ISO/IEC 27001-5_33. Protection of records
• ISO/IEC 27001-8_15. Logging
• CASA-7_3_1. Log Protection
• CASA-7_3_3. Log Protection
• Resolution SB 2021 2126-Art_26_11_g. Information Security

Vulnerabilities

• 091. Log injection
• 394. Insufficient data authenticity validation - Cloudtrail Logs

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.