Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for.
Core / Ccc / Controls / DEV
Ensure Integrity of Access Logs
CCC.Core.CN09 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. |
| CCC.Core.CP10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
| CCC.Core.CP09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. |
| CCC.Core.CP21 | Resource Replication | The service may be configured to replicate child resources across multiple deployments. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. |
| CCC.Core.TH04 | Data is Replicated to Untrusted or External Locations | Systems are susceptible to unauthorized access or interception by actors with political or physical control over the network in which they are deployed. Confidentiality may be impacted if the data is replicated to a network where the geopolitical status is untrusted, unstable, or insecure. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Core.CN09.AR01 | When the service is operational, its logs and any child resource logs MUST NOT be accessible from the resource they record access to. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN09.AR02 | When the service is operational, disabling the logs for the service or its child resources MUST NOT be possible without also disabling the corresponding resource. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN09.AR03 | When the service is operational, any attempt to redirect logs for the service or its child resources MUST NOT be possible without halting operation of the corresponding resource and publishing corresponding events to monitored channels. | tlp-amber, tlp-red |