Ensure that specific alerts have been configured to detect changes in audit log configuration such as disabling exporting of logs. Alerts MUST also be created to detect changes in retention/object lock policies for exported data log sources/buckets.
Management / Auditlog / Controls / DEV
Alert On Audit Log Changes And Access
CCC.AuditLog.CN03 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. |
| CCC.Core.CP10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.AuditLog.CN03.AR01 | When an attempt is made to disable a log source, then an alert MUST be generated. | tlp-red, tlp-amber |
| CCC.AuditLog.CN03.AR02 | When an attempt is made to alter the retention or object lock status of an external data log source or bucket, then an alert MUST be generated. | tlp-red, tlp-amber |