Information Security
CIS Control 8 - Audit Log Management
Last modified 6/28/2021
Audit Log Management
Purpose
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Background
Log collection and analysis is critical for an enterprise’s ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.
There are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs typically provide system-level events that show various system process start/end times, crashes, etc. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events—when a user logged in, accessed a file, etc.—and take more planning and effort to set up.
Logging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for a long period of time.
Standard
All University assets must be configured to be compliant with the Safeguards of Control 8: Audit Log Management from version 8 of the CIS Controls based on the applicable, corresponding Implementation Group (IG) of the owning business unit.
More information about Implementation Groups can be found here: https://www.cisecurity.org/white-papers/cis-controls-v-7-1-implementation-groups/
| Safeguard | Control Title (Links to Information Security Office Guidance) | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
| 8.1 | ✔ | ✔ | ✔ | |
8.2 | Collect Audit Logs | ✔ | ✔ | ✔ |
| 8.3 | Ensure Adequate Audit Log Storage | ✔ | ✔ | ✔ |
| 8.4 | Standardize Time Synchronization | ✔ | ✔ | |
| 8.5 | Collect Detailed Audit Logs | ✔ | ✔ | |
| 8.6 | Collect DNS Query Audit Logs | ✔ | ✔ | |
| 8.7 | Collect URL Request Audit Logs | ✔ | ✔ | |
8.8 | Collect Command-Line Audit Logs | ✔ | ✔ | |
| 8.9 | Centralize Audit Logs | ✔ | ✔ | |
| 8.10 | Retain Audit Logs | ✔ | ✔ | |
| 8.11 | Conduct Audit Log Reviews | ✔ | ✔ | |
| 8.12 | Collect Service Provider Logs | ✔ |
Additional Information
The following items are to provide context or better understanding of this standard:
- Requesting an Exemption
In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis. All exemptions will require documentation of the system, the data use on the system, the reason the standard cannot be met, ISO approval, and then executive approval from the requesting area acknowledging and accepting risk.
Exemptions can be requested according to the published Security Exemption Procedure using the Security Exemption Request Form.
- CIS Controls v8 License Statement
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/bync-nd/4.0/legalcode). To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.®).