#53SECURITYPROTECTElite
Access Audit Trail
Who accessed what, when
Medium
Overview
Log and monitor all access to systems and secrets. Detect anomalous access patterns.
Why It Matters
Answer 'who touched prod?' during incidents. Complete access log.
The Risk
Without audit trails, breaches go undetected. When incidents happen, you can't determine what the attacker accessed or when. Compliance audits fail. Insider threats operate invisibly.
Implementation Components
A complete implementation of this capability includes:
- Comprehensive audit logging (auditd, sshd, sudo)
- Centralized log aggregation
- Long retention (90+ days minimum)
- Searchable audit trail interface
- Alerting on suspicious patterns (off-hours access, failed attempts)
- Tamper-proof logging (logs to immutable storage)
Implementation Pattern
- 1Enable audit logging
- 2Log SSH sessions
- 3Aggregate logs
- 4Alert on suspicious patterns
Pipeline Coverage
This continuous capability monitors and applies to the following pipeline phases:
RELEASE
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Same Layer
Other capabilities in this continuous layer
- •#44 Database Backups
- •#45 System/App Backups
- •#46 Restore Verification
- •#47 Restore Drills
- •#48 Host Hardening
+5 more