Vis/Attrib: DNS servers should be configured to log all DNS requests and responses, provided that capturing such logging detail is reasonable for the given DNS server’s load.
Vis/Attrib: Ensure logs are written to write-only devices or to dedicated logging servers running on separate machines from hosts generating the event logs, lowering the chance that an attacker can manipulate logs stored locally on compromised machines.
Vis/Attrib: Deploy a Security Event/Information Management (SEIM) system tool for log aggregation and consolidation from multiple machines and for log correlation and analysis. Deploy and monitor standard government scripts for analysis of the logs, as well as using customized local scripts. Furthermore, event logs should be correlated with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. And, secondly, personnel should be able to correlate attack detection events with earlier vulnerability scanning results to determine whether the given exploit was used against a known-vulnerable target.
Vis/Attrib: Ensure analytical programs that review audit logs are run at least once per day.
Config/Hygiene: Periodically test the audit analysis process by inserting audit test records that demonstrate system compromise and measure the amount of time that passes before the compromise is discovered and action is taken.
Config/Hygiene: Periodically test the audit logging records to ensure they have the content needed using standard audit content lists for systems on each level of criticality.
Procedures and tools for implementing this control:
Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, with logs sent to centralized logging servers. Firewalls, proxies, and remote access systems (VPN, dial-up, etc.) should all be configured for verbose logging, storing all the information available for logging should a follow-up investigation be required. Furthermore, operating systems, especially those of servers, should be configured to create access control logs when a user attempts to access resources without the appropriate privileges. To evaluate whether such logging is in place, an organization should periodically scan through its logs and compare them with the asset inventory