Purpose

System logs are essential for identifying, monitoring for, responding to, and preventing operational problems, security incidents, policy violation and fraudulent activity. 

Supporting Policy

System Logging Policy

Log Details

Audit logs must contain at least the following information, where available:

1. Date and time of activity
2. Origin of activity (e.g., source IP address, location, terminal ID or other means of identification)
3. User or entity performing activity
4. Description of attempted or completed activity
5. Success or failure of attempted activity

Log Retention

Certain audit logs may be required to be archived as part of the record retention procedures or because of requirements to collect evidence.  Audit logs must be retained in accordance with the System Logging Standard. 

As an information source that keeps track of important transactions, audit logs are also a prime target for attackers who are keen to hide their activities to maximize opportunities to compromise targeted data.  To prevent attackers from hiding their activities, resource proprietors and custodians must configure strong access control around audit logs to limit the number of user accounts that can modify audit log files.  Any user that has job-related access to system log are responsible for:

1. Limiting access to authorized Departmental IT and OU IT Security personnel, and all such access must be reviewed annually by Departmental IT management.
2. Only access, monitor, or analyze logs for legitimate business and job-related purposes.
3. Keep log information confidential and not disclose such information to others unless there is a job-related or legal requirement to do so.

Log Review

Procedures for monitoring use of systems must be established and the result of the monitoring activities reviewed regularly.  Such procedures are necessary to ensure that users are only performing activities that have been explicitly authorized.  By default, logs must be transferred to the OU IT managed logging service in real-time or as quickly as technology allows.  Systems that are unable to transfer logs must have an approved exception.

Log Events

Authentication Logging - Configure local identity and authentication mechanisms to log the events below.

1. Successful/failed user login attempts
2. Password change
3. Account lockout
4. Account changes (creation and deletion, account permissions change)
5. Inactivity logout
6. User add, delete, modify, disable, lock (Success/Failure)
7. Group/Role add, delete, and modify (Success/Failure)

Network Device Logging - Use CIS Benchmarks to configure network devices to log the events below:

1. User logon and logoff
2. Failed logon attempts
3. All privileged user actions
4. Packet screening denials originating from untrusted networks
5. Packet screening denials originating from trusted networks
6. User account management
7. Modification of packet filters
8. Application errors
9. System shutdown and reboot
10. System errors
11. Network connects and disconnects (wired and wireless)

User Endpoint Logging - Inherit the OU User Endpoint Logging GPO on all Windows endpoints or use CIS Benchmarks to determine how to configure endpoints to log:  

1. Start up and shut down of the system
2. Start up and shut down of a service
3. Network connection changes or failures
4. Changes to, or attempts to change, system security settings and controls
5. Successful/failed user login attempts
6. Functions performed after a user logged in
7. Account changes (creation and deletion, account permissions change)
8. Successful/failed use of privileged accounts (e.g., root, admin SYS, domain)
9. Act of switching or acting as a different user account (e.g., sudo, RunAs, su)
10. System configuration changes, including installation of software patches and updates, or other installed software changes
11. File access (Success/Failure)
12. File creation (Success/Failure)
13. File deletion (Success/Failure)
14. File modification (Success/Failure)
15. Export/writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
16. Import/uploads from devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
17. User add, delete, modify, disable, lock (Success/Failure)
18. Group/Role add, delete, and modify (Success/Failure)

Storage System Logging:  Refer to user or administrative manuals to configure storage systems to log:

1. File access (Success/Failure)
2. File creation (Success/Failure)
3. File deletion (Success/Failure)
4. File modification (Success/Failure)
5. All privileged user actions (e.g., successful or failed permission modification, ownership modification)
6. Export/writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
7. Import/uploads from devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available

Database Logging:  Use CIS Benchmarks to configure databases to log:

1. Successful/failed file or database access attempts
2. Successful/failed use of privileged accounts with administrative access (e.g., root, admin SYS, domain)
3. Where available, use of privileged access or operations such as grant, modify or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes.
4. Creation, adding, or dropping tables/schemas
5. Backup and restore events
6. Elevated exceptions in the database stored procedures, functions, or triggers
7. Use of DBO or other default database account
8. Command-line execution of commands

Application Logging:  Refer to user or administrative manuals to configure applications to log:

1. Authentication successes and failures
2. Authorization (access control) failures
3. Application data activities (create, modify, delete)
4. Where available, use of higher-risk functionality (e.g., addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of systems administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, data import and export including screen-based reports, submission of user-generated content - especially file uploads).
5. Legal and other opt-ins (e.g., permissions for mobile phone capabilities, terms of use, terms & conditions, personal data usage consent, permission to receive marketing communications).
6. Application transactions, for example:
7. E-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail
8. Web servers recording each URL requested and the type of response provided by the server
9. Business applications recording which financial records were access by each user
10. Export/writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
11. Import/uploads from devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
12. User add, delete, modify, disable, lock (Success/Failure)
13. Group/Role add, delete, and modify (Success/Failure)

Server Logging:  Inherit the OU Member Server GPO on all Windows servers or refer to user or administrative manuals to determine how to configure servers to log:

1. Start up and shut down of the system
2. Start up and shut down of a service
3. Network connection changes or failures
4. Changes to, or attempts to change, system security settings and controls
5. Successful/failed user login attempts
6. Functions performed after a user logged in
7. Account changes (creation and deletion, account permissions change)
8. Successful/failed use of privileged accounts (e.g., root, admin SYS, domain)+
9. Act of switching or acting as a different user account (e.g., sudo, RunAs, su)
10. System configuration changes, including installation of software patches and updates, or other installed software changes
11. Application startup and shutdown
12. Application failures
13. File access (Success/Failure)
14. File creation (Success/Failure)
15. File deletion (Success/Failure)
16. File modification (Success/Failure)
17. Export/writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
18. Import/uploads from devices/digital media (e.g., CD/DVD, USB, SD)(Success/Failure), where available
19. User add, delete, modify, disable, lock (Success/Failure)
20. Group/Role add, delete, and modify (Success/Failure)

Anti-Virus Logging: Use the OU Anti-Virus client on all computers and servers to log:

1. Detection of suspicious or malicious activity with outcomes (cleaned or not)
2. Anti-virus protection failures
3. Internal connection to known malware IP address 

Compliance

The Office of Information Technology Governance, Risk, and Compliance (GRC) team, with assistance from Asset Administrators will verify compliance with this Standard by testing system logging controls at least annually, and more often as needed.   

Revision, Review, and Approval History

• August 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
• September 2023: College of Medicine Cell Biology: Standard reviewed, comments submitted
• September 2023: OU IT Classified Research: Standard reviewed, comments submitted
• October 2023: OU IT Digital Innovation Group: Standard reviewed, comments submitted
• December 2023: OU IT Governance, Risk, and Compliance: Comment period closed
• March 2023: OU IT Governance, Risk, and Compliance: See PSP Comment Summary for details.