-**[REQ-LOG-0a]:** The log file of events shall be protected from unauthorised access.
-**[REQ-LOG-0b]:** The log data of events shall be protected from modification including their deletion.
-**[REQ-LOG-0c]:** The log data of events shall be confidentiality protected.
-**[REQ-LOG-0d]:** The log shall include event time, actor identity, action type, and affected non-sensitive scope and object identifiers.
The following requirements apply where the corresponding function exists:
-**[REQ-LOG-1a]:** The product shall generate auditable events for successful and failed authentication attempts.
-**[REQ-LOG-1a]:** The product shall generate auditable events for successful and failed authentication events.
-**[REQ-LOG-1b]:** The product shall generate auditable events for session establishment attempts with source details.
-**[REQ-LOG-1c]:** The product shall generate auditable events for session termination events with reason.
-**[REQ-LOG-1d]:** The product shall generate auditable events for session validation checks like number of concurrent sessions.
-**[REQ-LOG-1e]:** The product shall generate auditable events for and privilege escalation.
-**[REQ-LOG-1e]:** The product shall generate auditable events for privilege and role changes.
-**[REQ-LOG-1f]:** The product shall generate auditable events for configuration changes.
-**[REQ-LOG-1g]:** The product shall generate auditable events for device enrollment and unenrollment.
-**[REQ-LOG-1h]:** The product shall generate auditable events for trust-anchor changes.
-**[REQ-LOG-1i]:** The product shall generate auditable events for policy changes.
-**[REQ-LOG-1j]:** The product shall generate auditable events for credential changes.
-**[REQ-LOG-2a]:** The product shall log boot or initialisation events including timestamped boot stage progression.
-**[REQ-LOG-2b]:** The product shall log boot or initialisation events including component verification and initialisation actions.
-**[REQ-LOG-2c]:** The product shall log boot or initialisation events including recovery mode activations if in use.
@@ -903,6 +909,7 @@ For high risk:
-**[REQ-LOG-6]:** The product shall support forwarding of relevant administrative events to an external logging or SIEM system and shall document the transfer format and field definitions.
-**[REQ-LOG-7]:** SIEM transfer format, field attributes and event descriptions shall made available as part of the technical documentation.
-**[REQ-LOG-8]:** Exported artifacts shall preserve essential fields at least, but not limited to: time, actor, action type, affected scope, result.
-**[REQ-LOG-9]:** The product shall record provenance sufficient to attribute the change to an actor and context information related to at least, but not limited to: user, automated workflow, policy or rule identifier, and triggering event reference.
### 5.3.6 Metrics
@@ -1354,6 +1361,32 @@ There are three different types of assessments used in this document.
### 6.3.5 Logging tests
### 6.3.5.8 REQ-LOG-8
**Requirement:**
**Objective:** Reduces vendor lock-in and supports incident response and CRA evidence portability.
**Preparation:** None<br/>
**Activities:**
**Verdict:**
1. Pass if export is available, documented, and preserves essential fields.
2. Fail if evidence cannot be exported or loses critical context.
**Supporting Evidence:**
### 6.3.5.9 REQ-LOG-9
**Requirement:**
**Objective:** Enables audit replay and accountability for automated control planes. Reduces ambiguity in incident investigations.
**Preparation:** None<br/>
**Activities:**
**Verdict:**
1. Pass if each change can be attributed to actor and context with retrievable references.
2. Fail if changes cannot be deterministically attributed.
