System Log Events that should be logged
March 2, 2012Therefore, logs shall be created whenever any of the following activities are requested to be performed by the system:
- Create, read, update, or delete confidential information, including confidential authentication information such as passwords;
- Create, update, or delete information not covered in above (1);
- Initiate a network connection;
- Accept a network connection;
- User authentication and authorization for activities covered in (1) or (2) such as user login and logout;
- Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes;
- System, network, or services configuration changes including;
- Testing and installation of software patch / updates,
- or other installed software changes;
- Application process startup, shutdown, or restart;
- Application process failures, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault; and
- Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention System (IDS / IPS), anti-virus system, or antispyware system.
Elements of the log
Such logs shall identify or contain at least the following elements, directly or indirectly. In this context, the term “indirectly” means unambiguously inferred.
- Type of action – Include authorizations, create, read, update, delete, and accept network connection.
- Subsystem performing the action – Include process or transaction name, process or transaction identifier.
- UserID’s (as many as available) for the subject requesting the action – Include computer name, user name, IP address, and MAC address.
Note:
Such UserID’s should be standardized in order to facilitate log correlation.
- UserID’s for the object the action was performed on – Include file names accessed, unique UserID’s accessed in a database, query parameters used to determine records accessed in a database, computer name, IP address, and MAC address.
Note:
Such UserID’s should be standardized in order to facilitate log correlation.
- Before and after values when action involves updating a data element, if feasible.
- Date and time the action was performed, including relevant time-zone information if not in Coordinated Universal Time.
- Whether the action was allowed or denied by access-control mechanisms.
- Description and/or reason-codes of why the action was denied by the access-control mechanism, if applicable.
www.bestitdocuments.com