Subcontrol 6.2

[adammontville]

Ensure that local logging has been enabled on all systems and networking devices.

Measures

x_i =1 if device i is enabled logging otherwie 0,
w_i = importantance of logging in device i (0-1)
m= # of devices and machines that should enable logging

Metrics/KEI

log_coverage [0-1] = Sum_i=1 to M (w_i*x_i) / M

We do this in OVAL all the time for our benchmarks. We could measure something like, for each asset in scope, ensure logging is enabled per enterprise policy.

[wmunyan]

Agreed; All of the OS benchmarks at least, contain recommendations regarding logging, such as windows audit subcategories and Linux auditd configurations.

[apiperCIS]

Question for UNCC: What is meant by "importance of logging in device"? Is that the criticality of the asset (for instance, devices hosting more sensitive data have a higher importance of logging)?

Question for UNCC: For m, is that the total # of devices in the enterprise, or does that imply that there are some machines that shouldn't enable logging?

In general, I don't think logging is a binary yes/no. As mentioned in the comments above, there are subcategories, etc. Is it 1 if any logging is turned on? Must there be certain sub-categories defined ahead of time and they get a 0 if they don't meet all of the sub-categories?

[wmunyan]

For those systems on which many logging recommendations are made (i.e. the different audit sub-categories on Windows systems), we could measure "percentage of the logging recommendations that are implemented"

[wmunyan]

Inputs:

• Organization should provide the list of (potentially numerous) events which should be logged.

Operations:

• For each endpoint, determine if logging configuration matches defined logging policy (M1)

Measures:

• M1 = 1 if endpoint implements defined logging policy; 0 otherwise
• M2 = Total # of endpoints

Metric:

• SUM(M1) / M2