System logs must not allow modifications or alterations.
Logs are used to analyze a system’s behavior. They help detect errors and suspicious activity, and often hold very sensitive information. Therefore, they should be protected so that no unauthorized actor can modify them, since this could prevent a vulnerability or a breach from being noticed in a timely manner.
CAPEC-161: Infrastructure Manipulation: An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-285: Improper Authorization: The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
ISO 27001:2013. Annex A - 12.4.2: Protect log facilities and information against unauthorized access and modification.
OWASP Top 10 A5:2017-Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.3): Verify that security logs are protected from unauthorized access and modification.
PCI DSS v3.2.1 - Requirement 6.5.8: Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
PCI DSS v3.2.1 - Requirement 10.5.2: Protect audit trail files from unauthorized modifications.
PCI DSS v3.2.1 - Requirement 10.5.3: Promptly back up audit trail files to a centralized log server or media that is difficult to alter.