Trail !new!: Audit

| Principle | Implementation | | :--- | :--- | | | Forward all logs to a centralized, hardened SIEM or cloud logging service (e.g., Splunk, ELK stack, Sentinel, Datadog). | | Immutable Storage | Use WORM storage (AWS S3 Object Lock, Azure Immutable Blob Storage) or a blockchain-based ledger for critical logs. | | Time Synchronization | Configure all systems to sync with a trusted, internal stratum-1 NTP server. | | Real-time Alerting | Do not just store logs. Create alerts: "More than 3 failed logins in 10 seconds" or "Access to /etc/shadow by a non-admin user." | | Periodic Review | Schedule a quarterly audit trail review by an independent party (internal audit or external assessor) to verify the logs themselves are not tampered with. | | Retention Policy | Define a legal retention period (e.g., 7 years for SOX financial logs; 6 years for HIPAA logs in some states). Automate archiving and secure deletion after that period. | | Protect the Logs | Apply the principle of least privilege. Only a specific break-glass admin role should have the ability to read or manage audit logs. No one should be able to edit or delete them. | audit trail

Audit logs are the primary data source for Intrusion Detection Systems (IDS). Unusual patterns in logs (e.g., multiple failed login attempts at 3:00 AM) can trigger alerts for a security team to investigate a potential attack in real-time. | Category | Description | Examples | |