6.3.1. Federation Standards: SAML, OAuth 2.0, and OIDC
💡 First Principle: Audit logs are the security system of record — they prove what happened when all other evidence is disputed or ambiguous. But logs only serve this function if they are comprehensive (capture all security-relevant events), accurate (timestamps synchronized, data complete), protected from tampering (even by insiders who generated them), and retained long enough to satisfy investigative needs.
What should be logged:
| Event Category | Events to Log | Why |
|---|---|---|
| Authentication | Successful logins, failed attempts, lockouts, MFA events | Credential attacks; unauthorized access |
| Authorization | Access grants and denials, privilege escalations | Unauthorized access attempts |
| Account management | Account creation, modification, deletion, role changes | Provisioning/deprovisioning verification; insider threat |
| Data access | Access to sensitive data (PII, financial, classified) | Data breach investigation; DLP; compliance |
| System events | Shutdowns, reboots, service starts/stops | Availability; tampering detection |
| Network | Firewall denies, IDS alerts, VPN connections | Attack detection; forensics |
| Application | Application errors, input validation failures, API calls | Application attack detection |
| Administrative | Configuration changes, policy changes, backup operations | Change management; insider threat |
Log protection requirements:
- Integrity: Logs must be tamper-evident; use cryptographic signing or immutable log stores (WORM storage, cloud log services with object lock)
- Separation: Log servers should be in a separate network zone; the users generating the logs should not be able to modify or delete the logs
- Availability: Logs must be available when needed; off-site or cloud-based log storage for high-availability
- Retention: Logs must be retained per regulatory requirements (HIPAA: 6 years; PCI: 1 year; SOX: 7 years; NIST recommends 1-3 years minimum)
- Searchability: Logs must be in formats that allow efficient forensic search; raw syslog is rarely sufficient
Log management architecture:
- Centralized log aggregation — all log sources forward to a central SIEM; avoids having to log into individual systems during investigation
- Syslog / CEF / LEEF — common log transport and format standards; normalize logs from diverse sources
- Time synchronization — NTP synchronized to authoritative source; log correlation requires consistent timestamps across systems; clock skew corrupts forensic timelines
Nonrepudiation via audit trail: The combination of individual identity (no shared accounts), logged actions, and cryptographically protected audit trail creates nonrepudiation. The individual cannot credibly claim they didn't perform an action that is recorded in an authenticated, tamper-evident log associated with their unique identity.
⚠️ Exam Trap: System administrators who manage servers also manage logs on those servers — they can delete or alter log entries to cover their tracks. This is why logs must be shipped to a system the admins don't control (central SIEM, immutable cloud log service) in real-time or near-real-time. The rule: no one should have write access to the logs of systems they administer.
Reflection Question: A privileged systems administrator is suspected of accessing HR salary data without authorization. The security team pulls the access logs from the HR database server. The logs show no access from the administrator's account. The administrator has root access to the database server. What has likely happened, what evidence would you seek from other sources to corroborate or refute the hypothesis, and what architectural control would prevent this evidence problem in future investigations?
