Appendix B: Compliance Considerations : Example Compliance Use Cases for Logs
Example Compliance Use Cases for Logs
The following use cases exemplify events that benefit from careful logging and monitoring in the vCloud environment. Other examples may include unauthorized services or protocols, remote login success, and certificate changes.
*Shared accounts – An investigation is initiated to review network outages and finds multiple instances where an administrator account logged into critical servers before failure. Shared accounts make it very difficult to trace fault to one individual—it is impossible to determine from the logs on that system which person was logged into the user account that made the error. Therefore, to aid in investigations, usage must be tied to an individual user ID and unique password with correct time. Systems also should be configured to detect any and all use of generic IDs, such as an administrator or root account, and trace them to unique identities.
*User account changes – A malicious user finds an unpatched flaw in an environment that allows elevation of privileges. The user then uses system-level privileges to create a new bogus user object from which to launch further attacks. A user object might be a Microsoft Widows Domain or local user account. User object logs can be used to determine when a name was changed or an account added. This assists in detection of actions without authorization or of users trying to hide attacks.
*Unauthorized software – Malware or a new virtual machine instance in the vCloud can be found in system object logs. A system must track system objects that are added, removed, or modified. This can be very helpful during installation to monitor system changes caused by software.