CCC.Core.F03: Access Log Publication
Capability ID:CCC.Core.F03
Title:Access Log Publication
Description:The service automatically publishes structured, verbose records of
activities performed within the scope of the service by external actors.
Mapped Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.AUDITLOG.TH01 | Insufficient Audit Logs | If security critical audit events are not logged then it increases the difficulty to detect threats and perform post incident analysis. | 2 | 1 | 0 |
| CCC.AUDITLOG.TH02 | Log Ingestion Latency | Large spikes or sustained delays in log ingestion may degrade the timeliness and completeness of security telemetry. This can increase the time required to detect and investigate threats, potentially impacting incident response effectiveness. | 3 | 1 | 0 |
| CCC.AUDITLOG.TH03 | Sensitive Data Logged | Sensitive information such as passwords, environment variables, or personally identifiable information (PII) may be included in audit logs due to a number of reasons such as; end user human error, developers not sanitizing fields or maliciously by a threat actor attempting to exfil data. This can lead to unauthorized disclosure if logs are accessed by unintended parties or forwarded to external systems. | 3 | 1 | 0 |
| CCC.AUDITLOG.TH04 | Insufficient encoding of audit logs | User-supplied data such as scripts, control characters, escape sequences, or code fragments may be written to audit logs without proper encoding or sanitization. This can result in malformed or unexpected log entries that could disrupt or compromise systems that process or display these logs, including log viewers or downstream services. | 2 | 1 | 0 |
| CCC.AUDITLOG.TH05 | Logging Evasion via violating size constraints | An attacker can evade detection by intentionally crafting input that violates the size constraints of a clouds audit logging mechanism. Many systems impose a maximum size limit on individual log entries. By performing an action with oversized data such as whitespace or Unicode injection, the resulting log event, which often includes the offending data, exceeds this limit, which often is redacted in the audit logs. | 2 | 1 | 0 |
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. | 1 | 1 | 0 |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. | 1 | 1 | 0 |