Rule ID
SV-259876r958754_rule
Version
V1R3
CCIs
CCI-001851
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure that in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. For cloud service environments, security information and event management (SIEM) or syslog capability must be implemented by both Boundary and Mission Computer Network Defense (CND) service providers to log audit information. This requirement can be met by the operating system continuously sending records to a centralized logging server.
If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify the IaaS/PaaS is configured to use centralized logging to capture and store the log records produced by the virtual machine (VM) management on the IaaS/PaaS. If the IaaS/PaaS does not perform centralized logging to capture and store the log records produced by the VM management, this is a finding.
This applies to all Impact Levels. FedRAMP - Does not match DOD requirement explicitly. Allows up to seven days for offloading. Moderate, High. Implement a solution for centralized logging to capture and store the log records produced on the IaaS/PaaS.