Commit c130e9d1 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Updated logging requirements

Closes #492, #491
parent a2ecf26e
Loading
Loading
Loading
Loading
+28 −26
Original line number Diff line number Diff line
@@ -468,43 +468,45 @@ When evaluating the applicability of these requirements, the highest of followin

For low risk:

- **[REQ-LOG-0a]:** The log file of events shall be protected from unauthorised access.
- **[REQ-LOG-0b]:** The log data of events shall be protected from modification including their deletion.
- **[REQ-LOG-0c]:** The log data of events shall be confidentiality protected.
- **[REQ-LOG-0d]:** The log shall include event time, actor identity, action type, and affected non-sensitive scope and object identifiers.
* **[REQ-LOG-0a]:** The log file of events shall be protected from unauthorised access.
* **[REQ-LOG-0b]:** The log data of events shall be protected from modification including their deletion.
* **[REQ-LOG-0c]:** The log data of events shall be confidentiality protected.
* **[REQ-LOG-0d]:** The log shall include event time, actor identity, action type, and affected non-sensitive scope and object identifiers.
* **[REQ-LOG-0e]:** The product shall monitor and log all received relevant events from its managed elements, including, not conclusive, incidents, alarms, time and clock shift alarms.
* **[REQ-LOG-0f]:** The product shall define what is logged, and how long that record is kept.

The following requirements apply where the corresponding function exists:

- **[REQ-LOG-1a]:** The product shall generate auditable events for successful and failed authentication events.
- **[REQ-LOG-1b]:** The product shall generate auditable events for session establishment attempts with source details.
- **[REQ-LOG-1c]:** The product shall generate auditable events for session termination events with reason.
- **[REQ-LOG-1d]:** The product shall generate auditable events for session validation checks like number of concurrent sessions.
- **[REQ-LOG-1e]:** The product shall generate auditable events for privilege and role changes.
- **[REQ-LOG-1f]:** The product shall generate auditable events for configuration changes.
- **[REQ-LOG-1g]:** The product shall generate auditable events for device enrollment and unenrollment.
- **[REQ-LOG-1h]:** The product shall generate auditable events for trust-anchor changes.
- **[REQ-LOG-1i]:** The product shall generate auditable events for policy changes.
- **[REQ-LOG-1j]:** The product shall generate auditable events for credential changes.
- **[REQ-LOG-2a]:** The product shall log boot or initialisation events including timestamped boot stage progression.
- **[REQ-LOG-2b]:** The product shall log boot or initialisation events including software component verification and initialisation actions.
- **[REQ-LOG-2c]:** The product shall log boot or initialisation events including recovery mode activations if in use.
- **[REQ-LOG-3c]:** The product shall log events described by [5.3.4 Secure updates].
- **[REQ-LOG-3d]:** The product shall log installation successes and failures in the managed devices and the product itself if that information can be extracted from the targets.
* **[REQ-LOG-1a]:** The product shall generate auditable events for successful and failed authentication events.
* **[REQ-LOG-1b]:** The product shall generate auditable events for session establishment attempts with source details.
* **[REQ-LOG-1c]:** The product shall generate auditable events for session termination events with reason.
* **[REQ-LOG-1d]:** The product shall generate auditable events for session validation checks like number of concurrent sessions.
* **[REQ-LOG-1e]:** The product shall generate auditable events for privilege and role changes.
* **[REQ-LOG-1f]:** The product shall generate auditable events for configuration changes.
* **[REQ-LOG-1g]:** The product shall generate auditable events for device enrollment and unenrollment.
* **[REQ-LOG-1h]:** The product shall generate auditable events for trust-anchor changes.
* **[REQ-LOG-1i]:** The product shall generate auditable events for policy changes.
* **[REQ-LOG-1j]:** The product shall generate auditable events for credential changes.
* **[REQ-LOG-2a]:** The product shall log boot or initialisation events including timestamped boot stage progression.
* **[REQ-LOG-2b]:** The product shall log boot or initialisation events including software component verification and initialisation actions.
* **[REQ-LOG-2c]:** The product shall log boot or initialisation events including recovery mode activations if in use.
* **[REQ-LOG-3c]:** The product shall log events described by [5.3.4 Secure updates].
* **[REQ-LOG-3d]:** The product shall log installation successes and failures in the managed devices and the product itself if that information can be extracted from the targets.

For medium risk:

- **[REQ-LOG-4]:** The log information shall have an active backup scheduled.
- **[REQ-LOG-5]:** Administrative log records, traces and events shall be forwarded to or stored in a service that prevents unauthorized modification or deletion of recorded entries.
* **[REQ-LOG-4]:** The log information shall have an active backup scheduled.
* **[REQ-LOG-5]:** Administrative log records, traces and events shall be forwarded to or stored in a service that prevents unauthorized modification or deletion of recorded entries.

> Clarification: write only service can be append only or even idempotent upsert system that does not let the received message to be altered later.
> The aim is to prevent a possible attacker to clear its traces by deleting the actions done in the system by distorting the history.

For high risk:

- **[REQ-LOG-6]:** The product shall support forwarding of relevant administrative events to an external logging or SIEM system.
- **[REQ-LOG-7]:** SIEM transfer format, field attributes and event descriptions shall made available in a machine readable format.
- **[REQ-LOG-8]:** Exported artifacts shall preserve essential fields at least, but not limited to: time, actor, action type, affected scope, result.
- **[REQ-LOG-9]:** The product shall record provenance sufficient to attribute the change to an actor and context information related to at least, but not limited to: user, automated workflow, policy or rule identifier, and triggering event reference.
* **[REQ-LOG-6]:** The product shall support forwarding of relevant administrative events to an external logging or SIEM system.
* **[REQ-LOG-7]:** SIEM transfer format, field attributes and event descriptions shall made available in a machine readable format.
* **[REQ-LOG-8]:** Exported artifacts shall preserve essential fields at least, but not limited to: time, actor, action type, affected scope, result.
* **[REQ-LOG-9]:** The product shall record provenance sufficient to attribute the change to an actor and context information related to at least, but not limited to: user, automated workflow, policy or rule identifier, and triggering event reference.

### 5.3.6 Metrics

@@ -547,7 +549,7 @@ Relevancy of the metric depends on the protocols and the product usage scenario.

Application metrics requirements:

-   **[REQ-METRICS-9]** Relevant application metrics, like GUI and API latencies and error rates, shall be tracked and reported.
* **[REQ-METRICS-9]** Relevant application metrics, like GUI and API latencies and error rates, shall be tracked and reported.

Matching tests for these requirements are listed in [6.3.6 Metrics tests].