Privileged session activity logged
Demonstrate that all privileged user sessions are comprehensively logged with sufficient detail to reconstruct administrative actions, and that these logs are retained, protected from tampering, and regularly reviewed for anomalous activity.
Description
What this control does
This control ensures that all activities performed during privileged user sessions (such as administrative actions, elevated access usage, and system configuration changes) are captured in tamper-resistant logs. Organizations must configure logging systems to record session metadata (user identity, timestamp, source IP, command executed) and maintain these records for forensic analysis and compliance review. Privileged session logging provides an audit trail that enables detection of insider threats, unauthorized privilege escalation, and malicious administrator activity that could otherwise go unnoticed.
Control objective
What auditing this proves
Demonstrate that all privileged user sessions are comprehensively logged with sufficient detail to reconstruct administrative actions, and that these logs are retained, protected from tampering, and regularly reviewed for anomalous activity.
Associated risks
Risks this control addresses
- Insider threat actors performing malicious actions under legitimate privileged credentials without detection due to insufficient audit trails
- Unauthorized privilege escalation or lateral movement by external attackers going undetected because administrative session activity is not logged
- Inability to perform forensic investigation or root cause analysis following security incidents involving privileged account compromise
- Compliance violations and regulatory penalties due to missing evidence of administrative activity during audit periods
- Malicious administrators covering their tracks by deleting or modifying logs that document their unauthorized actions
- Delayed detection of credential theft or account takeover affecting privileged users due to lack of session-level monitoring
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's privileged access logging policy, identifying which systems, user roles, and session types are designated as requiring logging
- Generate an inventory of all systems that support privileged access (domain controllers, database servers, network devices, cloud management consoles, jump hosts, PAM solutions)
- Select a representative sample of privileged systems across different technology tiers (Windows servers, Linux hosts, network infrastructure, SaaS admin portals) for configuration review
- Review logging configurations on sampled systems to verify that privileged session activity logging is enabled, including command execution, file access, configuration changes, and authentication events
- Request privileged session logs from the past 30-90 days and verify that entries contain required data elements: user identity, timestamp, source location, command/action performed, and target resource
- Conduct a test by performing a controlled privileged action (such as creating a test administrative account) and verify that the action appears in logs within the expected timeframe with complete details
- Review log retention settings and storage locations to confirm privileged session logs are retained per policy requirements and stored in write-once or centralized SIEM infrastructure
- Examine access controls on log repositories and verify that privileged users cannot modify or delete their own session logs, and that log integrity monitoring or cryptographic signing is implemented