8.2.2.7 System Logging Standard

Tags logging

Purpose

System logs are essential for identifying, monitoring for, responding to, and preventing operational problems, security incidents, policy violation and fraudulent activity. 

Supporting Policy

System Logging Policy

Standard

  1. Audit logs must contain at least the following information, where available:
    1. Date and time of activity
    2. Origin of activity (e.g., source IP address)
    3. User performing activity
    4. Description of attempted or completed activity
    5. Success or failure of attempted activity
  2. Certain audit logs may be required to be archived as part of the record retention procedures or because of requirements to collect evidence.  Audit logs must be retained in accordance with the System Logging Standard. 

Log Type

Active Storage

Archive Storage

Authentication Logs

30 days

1 year

Network Device Logs

30 days

1 year

User Endpoint Logs

30 days

1 year

Server Logs

30 days

1 year

 
  1. As an information source that keeps track of important transactions, audit logs are also a prime target for attackers who are keen to hide their activities to maximize opportunities to compromise targeted data.  To prevent attackers from hiding their activities, resource proprietors and custodians must configure strong access control around audit logs to limit the number of user accounts that can modify audit log files.  Any user that has job-related access to system log are responsible for:
    1. Limiting access to authorized Departmental IT and OU IT Security personnel, and all such access must be reviewed annually by Departmental IT management.
    2. Only access, monitor, or analyze logs for legitimate business and job-related purposes.
    3. Keep log information confidential and not disclose such information to others unless there is a job-related or legal requirement to do so.
  2. Storage system, database, and application audit logs must be retained in accordance with the matrix below based on the data classification.

Category

Type

Active Storage

Archive Storage

A

Healthcare Information

30 days

6 years

B

Payment Card Information

30 days

1 year

D1

Confidential Research & Publication Information

1 year

3 years

C

Student Information

30 days

3 years

D2

Research & Publications Information

30 days

90 days

E

University Administrative & Financial Information

30 days

1 year

F

Public Information

30 days

90 days

 
  1. Procedures for monitoring use of systems must be established and the result of the monitoring activities reviewed regularly.  Such procedures are necessary to ensure that users are only performing activities that have been explicitly authorized.  By default, logs must be transferred to the OU IT managed logging service in real-time or as quickly as technology allows.  Systems that are unable to transfer logs must have an approved exception.

Category

Type

Review Frequency

A

Healthcare Information

Annually

B

Payment Card Information

Daily

D1

Confidential Research & Publication Information

Annually

C

Student Information

Annually

D2

Research & Publications Information

As Needed

E

University Administrative & Financial Information

Annually

F

Public Information

Annually

 
  1. Authentication Logging:  Configure local identity and authentication mechanisms to log the events below.
    1. Successful/failed user login attempts
    2. Password change
    3. Account lockout
    4. Account changes (creation and deletion, account permissions change)
  2. Network Device Logging:  Configure network devices to log the events below:
    1. User logon and logoff
    2. Failed logon attempts
    3. All privileged user actions
    4. Packet screening denials originating from untrusted networks
    5. Packet screening denials originating from trusted networks
    6. User account management
    7. Modification of packet filters
    8. Application errors
    9. System shutdown and reboot
    10. System errors
  1. User Endpoint Logging:  Inherit the OU User Endpoint Logging GPO on all Windows endpoints or refer to user or administrative manuals to determine how to configure endpoints to log:  Start up and shut down of the system
    1. Start up and shut down of a service
    2. Network connection changes or failures
    3. Changes to, or attempts to change, system security settings and controls
    4. Successful/failed user login attempts
    5. Functions performed after a user logged in
    6. Account changes (creation and deletion, account permissions change)
    7. Successful/failed use of privileged accounts (e.g., root, admin SYS, domain)
    8. Act of switching or acting as a different user account (e.g., sudo, RunAs, su)
    9. System configuration changes, including installation of software patches and updates, or other installed software changes  
  1. Storage System Logging:  Refer to user or administrative manuals to configure storage systems to log:
    1. Failed file access attempts
    2. File creation
    3. File deletion
    4. File modification
    5. All privileged user actions
  2. Database Logging:  Refer to user or administrative manuals to configure databases to log:
    1. Successful/failed file or database access attempts
    2. Successful/failed use of privileged accounts with administrative access (e.g., root, admin SYS, domain)
    3. Where available, use of privileged access or operations such as grant, modify or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes.
  3. Application Logging:  Refer to user or administrative manuals to configure applications to log:
    1. Authentication successes and failures
    2. Authorization (access control) failures
    3. Application data activities (create, modify, delete)
    4. Where available, use of higher-risk functionality (e.g., addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of systems administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, data import and export including screen-based reports, submission of user-generated content - especially file uploads).
    5. Legal and other opt-ins (e.g., permissions for mobile phone capabilities, terms of use, terms & conditions, personal data usage consent, permission to receive marketing communications).
    6. Application transactions, for example:
    7. E-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail
    8. Web servers recording each URL requested and the type of response provided by the server
    9. Business applications recording which financial records were access by each user
  4. Server Logging:  Inherit the OU Member Server GPO on all Windows servers or refer to user or administrative manuals to determine how to configure servers to log:
    1. Start up and shut down of the system
    2. Start up and shut down of a service
    3. Network connection changes or failures
    4. Changes to, or attempts to change, system security settings and controls
    5. Successful/failed user login attempts
    6. Functions performed after a user logged in
    7. Account changes (creation and deletion, account permissions change)
    8. Successful/failed use of privileged accounts (e.g., root, admin SYS, domain)+
    9. Act of switching or acting as a different user account (e.g., sudo, RunAs, su)
    10. System configuration changes, including installation of software patches and updates, or other installed software changes
    11. Application startup and shutdown
    12. Application failures

Compliance

The Office of Information Technology Governance, Risk, and Compliance (GRC) team, with assistance from Asset Administrators will verify compliance with this Standard by testing system logging controls at least annually, and more often as needed.   

100% helpful - 2 reviews

Details

Article ID: 3036
Created
Tue 8/22/23 11:48 AM
Modified
Tue 2/6/24 9:43 AM