8: Audit Log Management
PF v1.0 References:
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
8.1: Establish and Maintain an Audit Log Management Process
Establish and maintain an audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
8.2: Collect Audit Logs
Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.
8.3: Ensure Adequate Audit Log Storage
Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.
8.4: Standardize Time Synchronization
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.
8.5: Collect Detailed Audit Logs
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
8.6: Collect DNS Query Audit Logs
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
8.7: Collect URL Request Audit Logs
Collect URL request audit logs on enterprise assets, where appropriate and supported.
8.8: Collect Command-Line Audit Logs
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.
8.9: Centralize Audit Logs
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
8.10: Retain Audit Logs
Retain audit logs across enterprise assets for a minimum of 90 days.
8.11: Conduct Audit Log Reviews
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
8.12: Collect Service Provider Logs
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.