I've come across a new requirement in our security policy that seems a bit concerning. It says we need to ensure that all actions by individual users can be uniquely traced for anything impacting our IT resources and data. I can't shake the feeling that this could be a trap for the sysadmin if there's a security breach. I'm curious about how others would approach this situation. Is there any software out there that's helpful for managing these kinds of requirements? I'm just exploring my options here.
4 Answers
It looks like they’re really asking for audit logs! Whether you’re using O365, Azure AD, or even just your local Active Directory, make sure you’ve got those logs maintained. It's a broad requirement, so if you don’t have a SIEM yet, this might be a good time to push for one. Just document any systems that lack auditing or logging and send that back to them to make it their problem.
I have to say, it's a bit baffling that this is even a question if you're in the sysadmin field or just a sensible human who might later want to know who messed things up. I mean, how green do you have to be to not get it? It seems like common sense to me.
So, the gist is that you need unique accounts for all users (no shared accounts) and ensure that all systems are set to collect audit logs that link back to those individual accounts. It's pretty standard!
I totally get wanting to log everything, but parsing through endless logs can turn into a wild goose chase, especially for logs that might never even get reviewed later.
Exactly! This requirement should help you phase out any solutions that lack effective logging capabilities.
That's a fair point! How long do they expect you to keep these logs? Without that bit of info, it might be reasonable or totally impossible. Using a SIEM or log aggregator makes sense here. Keeping all that log data on servers is tough without proper disk space, especially for security events.