:

6.2: Activate Audit Logging

Sub-control 6.2 states that you must ensure that local logging has been enabled on all systems and networking devices.

Asset Type	Security Function	Implementation Groups
Network	Detect	1, 2, 3

Dependencies

Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 5.1: Establish Secure Configurations

Inputs

Endpoint Inventory: The list of endpoints from the endpoint inventory
Event Logging Inventory: The list of events that should be logged (aka an event logging policy).

Assumptions

There could potentially be numerous events that should be logged.
A checklist verifying the logging policy can be examined per endpoint.

Operations

For each endpoint, determine if the configured event logging policy matches the policy defined by I2. Note the appropriately and inappropriately configured endpoints.

Measures

Measure	Definition
M1 = List of Endpoints	A list of all endpoints.
M2 = Count of items in M1	A count of the total number of items in M1.
M3 = List of appropriately configured endpoints	A list of all appropriately configured endpoints.
M4 = Count of items in M3	A count of the total number of items in M3.
M5 = List of inappropriately configured endpoints	A list of all inappropriately configured endpoints.
M6 = Count of items in M5	A count of the total number of items in M5.

Metrics

Logging Policy Coverage

Metric	Calculation
The ratio of endpoints implementing the prescribed event logging policy compared to the total number of endpoints.	(M4 / M6)

Copyright © 2023 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.