WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -948,7 +948,7 @@ VPN encryption shall use cryptographic algorithms, keys, and parameters as descr
The product shall record security-relevant internal events, including but not limited to changes to configuration and access or modification of data and functions. The product shall provide an opt-out mechanism.
#### 5.2.15.2 MI-LOGG: Logging
#### 5.2.15.2 MI-LOGG-1: Logging
The product shall record log messages indicating security-relevant internal events in an internal log or transmit them to the host system logging system. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.
@@ -961,6 +961,22 @@ The product shall record log messages indicating security-relevant internal even
Guidance: One type of event whose log message must take care to not accidentally include a secret is failed password authentication attempts. Since people often type their password into the username field, including the username field in the log message may result in including a secret in the log message.
#### 5.2.15.3 MI-LOGG-2: Remote Logging
The product shall transfer log messages indicating security-relevant internal events to a remote logging server. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.
> TODO-HAS: Reconsider the phrasing here, especially in activities and verdict
* Reference: TR-LOGG
* Objective: Transfer log messages regarding security-relevant events to mitigate local tampering
* Preparation: List all types of security-relevant internal events
* Activities: For each type of security-relevant internal event, trigger the event
* Verdict: For each triggered event, the log contains a message indicating the event, log message does not include any information likely to be confidential => PASS, otherwise FAIL
* Evidence: Method of triggering events, log messages with annotations
Guidance: One type of event whose log message must take care to not accidentally include a secret is failed password authentication attempts. Since people often type their password into the username field, including the username field in the log message may result in including a secret in the log message.
