SB.10.004 Logging events
Events potentially relevant to the security of systems are logged in a central logging system (different from the originating system) with timestamps synchronised to official timeservers in UTC.
Logs are protected from modification.
Logs are reviewed periodically.
Logs contain at least:
- A timestamp
- User ID
- The originating system of the log
- The activity performed
- Changes in configurations
Logging data retention is 6 months for security incident handling. Logging retention for the purpose of normal operational activities is 2 months maximum.
NTP or NT5DS is used to synchronize computer clocks to a central timeserver slaved to a GPS receiver or other source of time traceable to the international UTC time standard.
Log timestamps are in the local time zone (with correct DST handling), or in ISO 8601 notation to allow correlating log entries with other logs.
Logs are ‘read-only’ by default.
Permissions on log files can only be changed by privileged users.
The privileged users of the log file server(s) cannot be the same users as the system the logs are originally from.
On linux-systems log files have the append-only flag attribute. Consequently, to limit removal of the append-only flag, the capability CAP_LINUX_IMMUTABLE must not be set on the log file. A log rotate account is allowed to have the capability. Access to the log rotate account should be limited to privileged users only.
On windows-systems the default protections of the windows event log format should be in place. This means: Have windows event logging turned on and have it log relevant events. The windows event log does not allow for deleting of the logs without an event being written that states it was deleted. Limit access to this ability to administrator level accounts only.