ECTP-1 Audit Trail Protection
Overview
The contents of audit trails are protected against unauthorized access, modification or deletion.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII MACIII | Medium | Enclave Computing Environment |
Details
| Threat |
|---|
| Audit trails help accomplish individual accountability, event reconstruction, intrusion detection, and problem analysis. Strong access controls and encryption are effective security mechanisms that help prevent unauthorized access, modification or deletion. |
| Guidance |
|---|
| 1. Applications shall ensure its role-based access control implementation enforces separation of duties and least privilege. Two examples of duty separation are: a. Personnel that review and clear audit logs and personnel that perform non-audit administration, and b. Personnel that create, modify and delete access control rules and personnel that perform either data entry or application programming. 2. For Windows systems, the NTFS file permissions should be System – Full control, Administrators and Application Administrators - Read, and Auditors - Full Control. 3. For Unix systems, use the ls –la (or equivalent) command to check the permissions of the audit log files. Excessive permissions shall not exist. 4. Digital signatures and encryption shall be used for ensuring integrity and preserving confidentiality of audit trail data. |
References
- DISA, Recommended Standard Application Security Requirements Version 2, March 2003
- DISA, Application Security Checklist, Version 2.0, Release 1.5, 28 January 2005
- NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995