MON-002 Log Integrity and Protection
Description
Audit logs are stored in a tamper-resistant or write-once store, separate from the systems being logged. Unauthorised access to, modification of, or deletion of logs is prevented and alerted. Log integrity can be demonstrated to auditors.
Rationale
Logs that can be tampered with are worthless as evidence. Separation of log storage and integrity controls ensure that a compromised production system cannot erase the evidence of the compromise.
Framework Mappings (5)
| LOG-02 | Audit Logs Protection | full |
| LOG-04 | Audit Logs Access and Accountability | full |
| LOG-10 | Audit Records Protection | full |
| AU-5 | Response to Audit Logging Process Failures | partial |
| AU-9 | Protection of Audit Information | full |
Evidence (2)
Log storage configuration showing audit logs are written to a tamper-resistant or write-once store, separate from the systems generating the logs, with access controls restricting modification and deletion.
Example: AWS S3 Object Lock configuration for log buckets (WORM/Compliance mode), AWS CloudTrail log file validation settings, or equivalent immutable log storage configuration showing bucket policy, access controls, and object lock settings
Test: Review log storage configuration. Verify: (1) log storage is in a separate account, project, or resource from the systems being logged; (2) Object Lock (Compliance mode) or equivalent immutability is enabled; (3) log file integrity validation is enabled (e.g., CloudTrail log file validation); (4) access to modify or delete logs is restricted to a named privileged role; (5) attempt to delete a log object using a standard service account — confirm access is denied.
Alert or access log entries showing detection of unauthorised access attempts to the log store.
Example: SIEM alert or AWS CloudWatch alarm triggered by unauthorised attempts to access or modify the centralised log bucket, with alert configuration and sample alert event visible
Test: Query the SIEM or alerting platform for alerts on log store access in the last 90 days. Verify: (1) an alert is configured for any modification or deletion attempt against the log store; (2) alert configuration covers all log storage locations; (3) any triggered alerts have a documented review and response.
Questions (2)
Are audit logs stored in a tamper-resistant or write-once store, separate from the systems being logged, with unauthorised modification or deletion prevented and alerted?
Log storage should be in a separate account, project, or cloud resource from the systems generating logs. Object Lock (Compliance mode) or equivalent immutability should be enforced.
Which mechanisms are used to protect audit log integrity?
A robust posture combines immutable storage, integrity validation, separation from production accounts, and alerting on access attempts. All five controls together are the expected standard.