Resolve "[HAS 90] 5.2.15.2 Not actionable. What are “security-relevant...

#### 5.2.15.2 MI-LOGG-1: Logging

The product shall record log messages indicating cybersecurity-relevant internal events in an internal log or transmit them to the host system logging system. The log messages shall not include any confidential information such as Personal Data, secrets, or credentials, or any information which might reasonably be expected to include such items.

In accordance with the requirement to monitor access or modification of data, services, or functions, the product shall record log messages indicating specific cybersecurity-relevant internal events in an internal log.

* Reference: TR-LOGG

The minium scope of cybersecurity-relevant events logged by the VPN client may include, but not limited to:

* successful and failed authentication attempts,

* establishment, termination, or unexpected drops of the VPN connection,

* modifications to the VPN client's configuration or security settings,

* changes applied by the VPN client to the host system's network configuration technically relevant for the VPN service provision, or

* software update successes or failures.

The log messages shall not include any confidential information such as Personal Data, network traffic content, connection metadata (e.g., destination IPs, DNS queries), secrets, or credentials. These logs shall be retained locally on the endpoint. To comply with data minimisation requirements, the VPN client shall not transmit these logs to the remote data processing solutions of the VPN manufacturer by default. Transmission of local logs to the manufacturer (e.g., for technical support or troubleshooting) shall require explicit, informed user authorisation (e.g. explicit opt-in).

* Reference: TR-LOGG, TR-DMIN

* Objective: Monitoring and recording cybersecurity-relevant events

* Preparation: List all types of cybersecurity-relevant internal events

* Activities: For each type of cybersecurity-relevant internal event, trigger the event

* Verdict: For each triggered event, the log contains a message indicating the event, log message does not include any information likely to be confidential => PASS, otherwise FAIL

* Evidence: Method of triggering events, log messages with annotations

* Preparation: Review the manufacturer's documentation to confirm the scope of cybersecurity-relevant internal events implemented in the logging mechanism.

* Activities: For each type of cybersecurity-relevant internal event (authentication, connection state change, configuration modification, etc.), trigger the event on the endpoint. Attempt to locate any automated transmission of these logs to the manufacturer without explicit user consent.

* Verdict: For each triggered event, the local log contains a message indicating the event, log message does not include any information likely to be confidential, and logs are not transmitted to the manufacturer without explicit user authorisation => PASS, otherwise FAIL

* Evidence: Method of triggering events, log messages with annotations, and packet captures demonstrating no unauthorised transmission of logs.

> NOTE: One type of event for which log messages must take care to not accidentally include a secret is failed password authentication attempts. Since users often type their password into the username field, including the username field in the log message may result in including a secret in the log message.

> NOTE: One type of event for which log messages must take care to not accidentally include a secret is failed password authentication attempts. Since users often type their password into the username field, including the username field in the log message may result in including a secret in the log message. Additionally, the product may provide an easy-to-use opt-out mechanism for users who do not wish to have internal activity recorded locally

#### 5.2.15.3 MI-LOGG-2: Remote Logging