Audit data and tools are protected from unauthorized access or change.
What it actually means
An attacker's first move is often to erase the logs. Audit records and the logging tools themselves must be protected from unauthorized access, modification, and deletion — typically by shipping logs off the source system to a write-protected central repository.
Pass or fail — an assessor needs a "yes" to each
- Logs are stored where the people generating them can't alter/delete them (central, restricted).
- Access to logging tools/config is restricted.
- Tamper protection / integrity is in place.
What to have ready
- Central log repository with restricted access
- Permissions showing users can't delete their own logs
Where teams trip up
- Logs only on the local machine that made them
- Admins able to wipe the logs of their own activity
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →