Please state how many months the logs are kept for.
What is the control?
Just like with other types of logs, activity logs for administrative users are of little use if they are not retained for a useful period. As stated before, if your logs don’t go far back enough to allow you to investigate or reconstruct plausible events, it significantly voids many of the benefits of keeping logs in the first place.
Why should I have it?
Administrative users’ logs can be particularly important to retain as someone with administrative access to systems also has the ability to not only modify virtually anything on systems, but also to use and act as other accounts without needing their credentials.
It is therefore crucial to know the full activity trail of the “super user” and other administrative accounts, as activity seen from other accounts could actually be from such an administrative account running commands as another user.
As mentioned before, public figures on the mean time to detection for major security breaches are often between 6 and 9 months. We recommend your retention for security and event logs be the same 9 months or better as with regular activity logs (to increase the likelihood that you will have logs covering the full duration of a breach)
However, you may wish to keep “super user” and other administrative accounts’ logs for longer as they should typically not take up much storage as the activity level should be low, and the extra period of visibility may be useful. After all, an attacker that has succeeded in obtaining “super user” or some other administrative level of access is likely to be able to cover their tracks for longer.
Since administrator or “super user” activity logs are of increased importance but also normally a small percentage of overall log data, you may wish to have your logging policy treat them differently with higher periods of retention as well as more frequent review.
Since a “super user” account can edit or delete anything, including its own logs on the system, it’s more important than ever that these logs be directly sent to, and stored on, a secure central logging platform such as your SIEM or another repository.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.