Security Control 14:
Maintenance, Monitoring, and Analysis of Security Audit Logs

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines: Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

14.1

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction.

[additional details]

Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into that format.

REQ REQ REC

14.2

Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis.

REQ REQ REC

14.3

All remote access to a network, whether to the DMZ or the internal network (i.e., VPN, dial-up, or other mechanism), should be logged verbosely.

REQ REQ REC

14.4

Operating systems should be configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed log-on attempts must also be logged.

REQ REQ REC

14.5

System administrators should run reports weekly that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.

REQ REQ REC

14.6

Include at least two synchronized time sources (i.e., network time protocol - NTP) from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent.

REQ REQ REC

14.7

Network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, should be configured to verbosely log all traffic (both allowed and blocked) arriving at the device.

REQ REQ REC

14.8

For all servers, ensure that logs are written to write-once devices or dedicated logging servers running on separate machines from hosts generating the event logs.

REQ REQ REC

Additional Reading