CCC.Core.TH07: Logs are Tampered With or Deleted
Threat ID:CCC.Core.TH07
Title:Logs are Tampered With or Deleted
Description:
Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. |
| CCC.Core.F10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
External Mappings
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.AuditLog.C01 | Implement Digital Signatures With Hash Chaining | Digital signatures allows for external verification of log data tampering and hash chaining allows for deleted log files to be detected. | Integrity | 2 | 2 | 2 |
| CCC.AuditLog.C03 | Alert On Audit Log Changes And Access | Ensure that specific alerts have been configured to detect changes in audit log configuration such as disabling exporting of logs. Alerts MUST also be created to detect changes in retention/object lock policies for exported data log sources/buckets. | Integrity | 1 | 3 | 2 |
| CCC.AuditLog.C05 | Export Audit Logs To Bucket | Configure audit logs to be sent to a external bucket where they can be globally replicated and can be subject to greater access control and data retention polices. | Availability | 1 | 4 | 1 |
| CCC.AuditLog.C06 | Enforce Retention Policy on Audit Log Bucket | Configure a custom retention policy on the designated audit log bucket to ensure that logs are retained for the correct number of days as defined by your organization's policy. | Availability | 2 | 3 | 1 |
| CCC.AuditLog.C07 | Enforce MFA Delete on Audit Log Bucket | Enable Multi-Factor Authentication (MFA) delete on the audit log bucket to provide greater protection against accidental or malicious deletion of audit data. | Availability | 2 | 3 | 1 |
| CCC.AuditLog.C08 | Enable Object Lock On Audit Log Bucket | Ensure that object log is enabled globally on all objects with the bucket. The lock time MUST be configured to meet your organization, legal and compliance goals. Deletion attempts before the lock period MUST be denied. | Availability | 1 | 3 | 1 |
| CCC.AuditLog.C09 | Restrict Field And Log Type Access | Configure access to audit logs to follow the principle of least privilege in particular where technically possible limit the log fields users have access to to prevent accidental exposure to sensitive information such as PII. | Confidentiality | 1 | 7 | 1 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |