### 5.2.X **TR-LSRE**: Logging of security-relevant events
#### 5.2.X.1 Example threat
Attacker's security-relevant changes to systems can't be tracked or audited
#### 5.2.X.x **MI-LLOG**: Local logging
Use case: Everything above toy that has security-relevant configuration?
* Mitigation: Keep local logs of important security events with timestamps, including TBD:
* list of types of events
* enough information to directly repair the change without scanning the whole system
* enough log storage ??? amount
* Test: For each type of logged event, execute the action that should be logged
* Result: Each event is logged
* Output: Log output for each event
#### 5.2.X.x **MI-RLOG**: Remote logging
Use case: Higher risk servers, workstations, laptops, anything that can't write logs locally?
* Mitigation: same as MI-LLOG but with ability to send logs via a verifiable channel to an authorized log server, as long as the connection to the server is available
* Test: For each type of logged event that would result in the logging server becoming unavailable, execute the action that would result in that log event
* Result: Log output for each event is sent to log server
* Output: Log output as sent to log server or as recorded on log server
* Requirements: way to setup remote log server for product as shipped
### 5.2.X **TR-LLTP**: Local log tamper prevention
#### 5.2.X.1 Example threat
Attacker tampers with log messages
#### 5.2.X.x **MI-LLGA**: Local log file only editable by privileged users
Use case: Any product with multiple users?
* Mitigation: log file has permissions allowing editing only by users with appropriate privileges
* Test: attempt to write to, delete, and move each log file by an unauthorized user
* Result: access is denied, log is not changed
* Output: error messages, comparison of log status shows no changes
* Requirements: way to attempt to tamper with logs on product as shipped
FIXME: what about append-only?
Note: all security-relevant configuration handled by a different requirement
Attacker intercepts, alters, or replaces log message stream to remote log server
#### 5.2.X.x **MI-RLSA**: Remote log server authentication
* Mitigation: Authentication of remote log server
* Test: Attempt to intercept initial connection to log server using identical responses as the authorized log server, except where using only publicly available information would be different
* Result: Failure to connect to remote log server and no logs are sent
* Output: Error message
#### 5.2.X.x **MI-RLET**: Encrypt log message stream with tamper-evident protocol
Use case: Higher risk servers, workstations, laptops?
* Mitigation: Use tamper-resistant encryption on the log stream such as TBD LIST OR REFER
* Test: Alter, insert, and delete log message stream using only publicly available data
* Result: Log server rejects tampered/false log message
* Output: Error message
### 5.2.X **TR-SDEF**: Secure by default configuration
### 5.2.X.x Requirement
@@ -2776,6 +2706,76 @@ FIXME: vDSO ASLR
FIXME: NULL-address protection
FIXME: ptrace scope
### Old logging requirements
#### 5.2.X.1 Example threat
Attacker's security-relevant changes to systems can't be tracked or audited
#### 5.2.X.x **MI-LLOG**: Local logging
Use case: Everything above toy that has security-relevant configuration?
* Mitigation: Keep local logs of important security events with timestamps, including TBD:
* list of types of events
* enough information to directly repair the change without scanning the whole system
* enough log storage ??? amount
* Test: For each type of logged event, execute the action that should be logged
* Result: Each event is logged
* Output: Log output for each event
#### 5.2.X.x **MI-RLOG**: Remote logging
Use case: Higher risk servers, workstations, laptops, anything that can't write logs locally?
* Mitigation: same as MI-LLOG but with ability to send logs via a verifiable channel to an authorized log server, as long as the connection to the server is available
* Test: For each type of logged event that would result in the logging server becoming unavailable, execute the action that would result in that log event
* Result: Log output for each event is sent to log server
* Output: Log output as sent to log server or as recorded on log server
* Requirements: way to setup remote log server for product as shipped
### 5.2.X **TR-LLTP**: Local log tamper prevention
#### 5.2.X.1 Example threat
Attacker tampers with log messages
#### 5.2.X.x **MI-LLGA**: Local log file only editable by privileged users
Use case: Any product with multiple users?
* Mitigation: log file has permissions allowing editing only by users with appropriate privileges
* Test: attempt to write to, delete, and move each log file by an unauthorized user
* Result: access is denied, log is not changed
* Output: error messages, comparison of log status shows no changes
* Requirements: way to attempt to tamper with logs on product as shipped
FIXME: what about append-only?
Note: all security-relevant configuration handled by a different requirement
Attacker intercepts, alters, or replaces log message stream to remote log server
#### 5.2.X.x **MI-RLSA**: Remote log server authentication
* Mitigation: Authentication of remote log server
* Test: Attempt to intercept initial connection to log server using identical responses as the authorized log server, except where using only publicly available information would be different
* Result: Failure to connect to remote log server and no logs are sent
* Output: Error message
#### 5.2.X.x **MI-RLET**: Encrypt log message stream with tamper-evident protocol
Use case: Higher risk servers, workstations, laptops?
* Mitigation: Use tamper-resistant encryption on the log stream such as TBD LIST OR REFER
* Test: Alter, insert, and delete log message stream using only publicly available data
* Result: Log server rejects tampered/false log message
