Table of contents

Custom Applications

We have developed a series of logging requirements for custom applications, such as digital services, applications materially customised that they can reasonably be considered bespoke/custom for the Ministry of Justice (MoJ) and line of business applications at different maturity tiers in order to support defensive cyber security, such as detecting breaches.

Baseline Maturity Tier

1. User directory services

Log Collection Principle(s): 1, 2

User directory services, or interactions with them, must create and forward Authentication and Authorisation events.

User directories within application environments can be rich and diverse, such technologies include:

  • Active Directory (AD)
  • Azure Active Directory
  • OpenLDAP
  • Amazon Web Services (Accounts and Incognito)
  • Okta
  • Auth0
  • (acting as an identity provider)
  • Google Workspace (acting as an identity provider)
  • Oracle identity stores
  • Local user stores within operating systems leveraged by tenant applications

These event types must be logged and forward:

  1. Account creation
  2. Account lockout
  3. Account reinstatement
  4. Account authentication failures
  5. Account authentication successes after 1 or more failures
  6. Account password changes
  7. Group membership addition / deletion (in particular, any group that gives admin access)
  8. Group creation
  9. Privilege modification for users (for example, role delegation through AWS IAM)
  10. Multi-factor authentication state, such as:
    1. Enabled
    2. Disabled
    3. Reset/rotation
    4. Recovery method used

2. Authenticated user activity events

Log Collection Principle(s): 6

Applications should create viable user activity audit information for authenticated users so it is reasonably possible to understand retrospectively which actions the user took or attempted.

  1. User/group identifier(s)
  2. Action/query
  3. Response size
  4. Response time

3. Unauthenticated user activity events

Log Collection Principle(s): 6

Where unauthenticated users interact with applications (for example, a digital service published and available on the general Internet), associated audit information must be created.

  1. End-client identifier(s)
  2. Query metadata:
    1. Destination identifier (such as target hostname, TCP/UDP port and/or full URI)
    2. Query type (for example, HTTP GET or HTTP POST)
    3. Query size
  3. Response size
  4. Response time

Enhanced Maturity Tier

1. Pipeline events

Log Collection Principle(s): 1, 2, 3, 6

Continuous integration and continuous deployment pipelines obey instructions to manage applications and are a privileged position to oversee all associated resources, they must be highly auditable to clarify activity and attribute the same.

  1. Source identifier(s)
    1. User(s)
    2. Repository
  2. Activity events
    1. Resource creation
    2. Resource destruction
    3. Target environment

2. Data store events

Log Collection Principle(s): 6

Temporary data stores (such as intermediate queues) and permanent data store (such as databases) are key data locations and all interactions should be highly auditable.

  1. Data store identifier(s)
  2. Credential identifier(s)
  3. Query
  4. Query response size
  5. Query response time


If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: