System Hardening

ISM-0582

Security-relevant events for operating systems are centrally logged, including: • application and operating system crashes and error messages • changes to security policies and system configurations • failed user logons and account lockouts • failures, restarts and changes to important processes, services and scheduled tasks • security product-related events • successful process creations and terminations • successful user logons and logoffs • system startups and shutdowns.

Topic
Operating system event logging
Applicable to
all

History

Priority
should
Sep 2024
Security-relevant events for operating systems are centrally logged, including: • application and operating system crashes and error messages • changes to security policies and system configurations • failed user logons and account lockouts • failures, restarts and changes to important processes, services and scheduled tasks • security product-related events • successful process creations and terminations • successful user logons and logoffs • system startups and shutdowns.
The existing control recommending specific events for operating systems be centrally logged was amended to align with recommendations for the prioritised collection of high-quality event logs within the Best Practices for Event Logging and Threat Detection publication and audit event management recommendations within the Hardening Microsoft Windows 10 and Windows 11 publication.
Dec 2023
The following events are centrally logged for operating systems: • application and operating system crashes and error messages • changes to security policies and system configurations • successful user logons and logoffs, failed user logons and account lockouts • failures, restarts and changes to important processes and services • requests to access internet resources • security product-related events • system startups and shutdowns.
The existing control relating to the centralised storage of operating system event logs was merged into the existing control relating to collecting operating system event logs. [ISM-0582, ISM-1747]
Mar 2022
The following events are logged for operating systems: • application and operating system crashes and error messages • changes to security policies and system configurations • successful user logons and logoffs, failed user logons and account lockouts • failures, restarts and changes to important processes and services • requests to access internet resources • security product-related events • system startups and shutdowns.
The existing recommendation to monitoring account logons and logoffs (ISM-0584) was merged with recommendations regarding operating system event logging (ISM-0582). Furthermore, a new recommendation to monitor account lockouts (i.e. event ID 4740) was introduced. Finally, the existing recommendation to investigate account lockouts (ISM-0431) was rescinded as it is now more accurately covered by ISM-1747 relating to monitoring and responding to unusual operating system event logs – in this case instances of suspicious account lockouts.
Aug 2020
The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to and from external media • user or group management • use of special privileges.
Security control 0582 was amended to including the capture of data transfers from external media.
Jul 2020
The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to external media • user or group management • use of special privileges.
2015
Agencies should log, at minimum, the following events for all software components:• all privileged operations• successful and failed elevation of privileges• security related system alerts and failures• user and group additions, deletions and modification to permissions• unauthorised access attempts to critical systems and files.
2010
Agencies should log, at minimum, the following events for all software components:•••••all privileged operationsfailed attempts to elevate privilegessecurity related system alerts and failuressystem user and group additions, deletions and modification to permissionsunauthorised access attempts to critical systems and files.