Commercial off-the-shelf applications
We have developed a series of logging requirements for Commercial off-the-shelf (COTS) applications, such as Software-as-a-Service (SaaS) solutions or where applications are not so customised that they can reasonably be considered bespoke/custom for the Ministry of Justice (MoJ).
Baseline Maturity Tier
1. User directory services
Log Collection Principle(s): 1, 2
User directory services, or interactions with them, must create and forward Authentication and Authorisation events.
User directories within application environments can be rich and diverse, such technologies include:
- Active Directory (AD)
- Azure Active Directory
- OpenLDAP
- Amazon Web Services (Accounts and Incognito)
- Okta
- Auth0
- github.com (acting as an identity provider)
- Google Workspace (acting as an identity provider)
- Oracle identity stores
- Local user stores within operating systems leveraged by tenant applications
These event types must be logged and forward:
- Account creation
- Account lockout
- Account reinstatement
- Account authentication failures
- Account authentication successes after 1 or more failures
- Account password changes
- Group membership addition / deletion (in particular, any group that gives admin access)
- Group creation
- Privilege modification for users (for example, role delegation through AWS IAM)
- Multi-factor authentication state, such as:
- Enabled
- Disabled
- Reset/rotation
- Recovery method used
2. Authenticated user activity events
Log Collection Principle(s): 6
Applications should create viable user activity audit information for authenticated users to reasonably identify which authenticated user took which action.
- User/group identifier(s)
- Action/query
- Response size
- Response time
Enhanced Maturity Tier
1. Data store events
Log Collection Principle(s): 6
Temporary data stores (such as intermediate queues) and permanent data store (such as databases) are key data locations and all interactions should be highly auditable.
- Data store identifier(s)
- Credential identifier(s)
- Query
- Query response size
- Query response time
2. Unauthenticated user activity events
Log Collection Principle(s): 6
Where unauthenticated users interact with applications (for example, a MoJ Google Workspace document available on the general Internet through relaxed access controls), associated audit information must be created.
- End-client identifier(s)
- Query metadata:
- Destination identifier (such as target hostname, TCP/UDP port and/or full URI)
- Query type (for example,
HTTP GET
orHTTP POST
) - Query size
- Response size
- Response time
Contact and Feedback
For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.