Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner. Collection logs and regular review is useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require collection, retention, and review of logs, so CIS Control 8 is not only important but also in some cases mandatory.
The Control is composed of twelve safeguards, mostly in the IG2 category, with Protect or Detect security functions that all organizations with enterprise assets should implement. Audit logs should capture detailed information about (1) what event happened, (2) what system the event happened on, (3) what time the event happened, and (4) who caused the event to happen. Alerts should be set for suspicious or major events such as when users attempt to access resources without appropriate privileges or execution of binaries that should not exist on a system.
Audit logs are also a target for attackers looking to cover their tracks. So, audit logging must be configured to enforce access control and limit the users who can modify or delete logging data.
The CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.
Key Takeaways for Control 8
An audit log management plan should at least implement processes to:
- Ensure that detailed, time-synchronized audit logs are collected across enterprise assets.
- Ensure that logs are stored in a centralized location and retained for a minimum 90 days.
- Ensure audit log reviews are conducted on a weekly basis or more often to establish baselines and detect potential threats.
Safeguards for Control 8
8.1) Establish and Maintain an Audit Log Management Process
Description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of logs for enterprise assets. Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.
Notes: This IG1 Safeguard intends to protect enterprise assets by ensuring that audit logs are collected, reviewed, and maintained in a systematic and repeatable manner. Audit logs need to be complete and accurate. It may be necessary to schedule simulations of events to verify that desired logs are generated. Tools may be required to ingest and search logs. Log data may need to be normalized to enable quick and efficient analysis.
8.2) Collect Audit Logs
Description: Collect audit logs. Ensure that logging, per the enterprise’s log management process, has been enabled across enterprise assets.
Notes: This IG1 Safeguard intends to support detection of threats against enterprise assets. It’s basic cyber hygiene and should be implemented by all enterprises.
8.3) Ensure Adequate Audit Log Storage
Description: Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Notes: This IG1 Safeguard supports protection of enterprise assets and retention of log history, ensuring that logging audit or compliance requirements are met.
8.4) Standardize Time Synchronization
Description: Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.
Notes: This IG2 Safeguard supports correlation of logging data by synchronizing timestamps.
8.5) Collect Detailed Audit Logs
Description: Configure detailed audit logging for enterprise assets containing sensitive data. Include even source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Notes: This IG2 Safeguard intends to support detection of abnormalities and data compromise by ensuring verbose logs are collected, which allow us to reconstruct what happened during an event and to establish the extent of affected assets.
8.6) Collect DNS Query Audit Logs
Description: Collect DNS query audit logs on enterprise assets where appropriate and supported.
Notes: DNS query logs can help track down misconfigured hosts or signs and source of an intrusion or attack.
8.7) Collect URL Request Audit Logs
Description: Collect URL request audit logs on enterprise assets where appropriate and supported.
Notes: This IG2 Safeguard intends to detect threats and anomalous events relating to URL requests.
8.8) Collect Command-Line Audit Logs
Description: Collect command-line audit logs. Example implementations include collecting logs from PowerShell, BASH, and remote administrative terminals.
Notes: This IG2 Safeguard intends to detect unusual or threatening behavior at command consoles. Attackers may utilize a common set of commands from recon to exfiltration or impact.
8.9) Centralize Audit Logs
Description: Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Notes: This IG2 Safeguard intends to support other control Safeguards within organizations that have increased operational complexity. Centralizing audit logs will make collection, retention, and review simpler. Tools exist to ingest, normalize, and parse logs for efficient searching and analysis.
8.10) Retain Audit Logs
Description: Retain audit logs across enterprise assets for a minimum of 90 days.
Notes: This IG2 Safeguard intends to protect enterprise assets by requiring real-time log data be retained for a period of time to satisfy audit or compliance needs.
8.11) Conduct Audit Log Reviews
Description: Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Notes: It is not enough to just collect audit logs. This IG2 Safeguard intends to detect unusual behavior through periodic log review.
8.12) Collect Service Provider Logs
Description: Collect service provider logs where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.
Notes: This IG3 Safeguard supports detection of threats and anomalous events relating to service providers.
Read more about the 18 CIS Controls here:
CIS Control 8: Audit Log Management