| It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured firewall. Auditing and logging are key components of any security architecture. Please note the distinction between logging and auditing; they are not the same, but they are closely related; auditing is a part of logging. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.
All security violations and potential security violations must be logged. Specific events are defined by other requirements in this guide; however, organizations must also define additional events for logging based on mission requirements.
For the firewall or other device using an Access Control List, all matches against statements where the packet is either denied or dropped must be logged. Note that some equipment manufacturers use severity level 6 (informational) when logging packets that are dropped by an access control list. |
