Server access logging enabled
Demonstrate that access logging is configured and operational on all in-scope servers, capturing authentication events, privileged actions, and object access with adequate detail for security monitoring and incident investigation.
Description
What this control does
Server access logging enabled ensures that all authentication attempts, session establishment, privileged commands, and file access events are recorded on servers (physical, virtual, or cloud-based) with sufficient detail to support forensic analysis and anomaly detection. This control requires logging to be activated at the operating system, application, and middleware layers, capturing metadata including timestamp, user identity, source IP, action performed, and outcome. Effective logging provides an audit trail that enables detection of unauthorized access, policy violations, and lateral movement within the infrastructure.
Control objective
What auditing this proves
Demonstrate that access logging is configured and operational on all in-scope servers, capturing authentication events, privileged actions, and object access with adequate detail for security monitoring and incident investigation.
Associated risks
Risks this control addresses
- Unauthorized access to servers goes undetected, allowing attackers to maintain persistent presence without triggering alerts
- Insider misuse of privileged accounts cannot be investigated due to absence of audit trails linking actions to individuals
- Lateral movement and privilege escalation activities by threat actors remain invisible to security operations teams
- Forensic investigations are impaired or impossible due to insufficient evidence of attacker actions, timelines, and affected systems
- Compliance violations and policy breaches cannot be substantiated or remediated without access records
- Compromised credentials are used repeatedly without detection because failed and successful login patterns are not logged
- Regulatory fines and legal liability increase due to inability to demonstrate due diligence in access monitoring and incident response
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all in-scope servers, including operating system type, environment classification, and responsible team
- Select a representative sample stratified by OS type, criticality, and hosting model (on-premises, IaaS, PaaS)
- Review logging configuration files or management console settings for each sampled server to verify access logging is enabled
- Confirm that logged events include at minimum: authentication attempts (success and failure), session initiation and termination, privileged command execution, and file access to sensitive directories
- Validate that log entries contain required metadata fields: timestamp with time zone, username or service account, source IP or hostname, action performed, and result code
- Retrieve recent access logs from sampled servers covering a 7-day period and verify entries are being generated continuously
- Test log transmission by confirming logs are forwarded to a centralized SIEM, log aggregator, or secure archive within the defined retention window
- Interview system administrators to verify procedures exist for enabling logging on newly provisioned servers and for monitoring logging service health
Where this control is tested