3.3.8 — Tamper-Proof Logs
What It Says
Section titled “What It Says”Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
What It Actually Means
Section titled “What It Actually Means”Audit logs are evidence. They must be protected the same way you’d protect any critical evidence — from tampering, from deletion, and from unauthorized eyes.
Six things are protected, across two categories:
Audit information (the log data itself):
- Protected from unauthorized access. Not everyone can read the logs. Only personnel with a legitimate need — security team, designated auditors — can view audit records. A sysadmin who’s the subject of an investigation shouldn’t be able to read the investigation logs.
- Protected from unauthorized modification. Nobody can edit log entries. Write-once storage, immutable blobs, append-only configurations. If a log says “admin deleted 50 files at 2 AM,” that entry can never be changed.
- Protected from unauthorized deletion. Nobody can delete log entries — not even the people who manage the systems being logged. This is the hardest one. It requires separating log management from general system administration.
Audit logging tools (the SIEM, log collectors, agents): 4. Protected from unauthorized access. Only designated log administrators can access the SIEM console or log management tools. 5. Protected from unauthorized modification. Configuration of logging tools is restricted — nobody can silently change what gets logged or where logs go. 6. Protected from unauthorized deletion. Logging agents, collectors, and the SIEM itself can’t be uninstalled or disabled by general admins.
The core principle is separation: the people being logged should not be able to access, modify, or delete the logs about their own actions.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is audit information protected from unauthorized access? | Log data readable only by designated security personnel — not all admins |
| 2 | Is audit information protected from unauthorized modification? | Write-once or immutable storage — log entries cannot be edited |
| 3 | Is audit information protected from unauthorized deletion? | Log retention enforced technically — admins can’t purge log data |
| 4 | Are audit logging tools protected from unauthorized access? | SIEM admin console restricted to designated log administrators |
| 5 | Are audit logging tools protected from unauthorized modification? | Logging tool configs locked — changes require elevated privileges and change management |
| 6 | Are audit logging tools protected from unauthorized deletion? | Logging agents can’t be uninstalled by standard admins; SIEM protected from decommissioning |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Audit and accountability policy; access control policy for audit systems; procedures addressing audit information protection; system security plan; system configuration showing immutable storage settings; list of authorized audit system users; RBAC configuration for SIEM
People they’ll talk to: Personnel with audit and accountability responsibilities; information security personnel; system or network administrators; anyone with access to audit logging tools
Live demos they’ll ask for: “Show me who can access your SIEM.” “Can a sysadmin delete a log entry? Prove it.” “Show me the immutable storage configuration.” “Try to modify a log entry from last week — what happens?”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Who can access your audit logs? Show me the access list.”
- “Can a system administrator modify or delete their own audit trail?”
- “Show me the storage configuration — is it write-once or immutable?”
- “Who can access the SIEM admin console? Is it the same people as your general sysadmins?”
- “If I asked you to delete a log entry from three months ago, could you?”
- “How do you prevent a logging agent from being uninstalled on a CUI workstation?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Admins can delete logs. Same domain admins who are being logged have full access to the log server or SIEM. An insider threat or a compromised admin account means the evidence disappears. Separate log management roles from general administration.
No write protection. Logs stored on a file share where anyone with server access can edit or delete files. Use immutable storage — Azure Blob immutability policies, AWS S3 Object Lock, or dedicated WORM storage.
No log backup or redundancy. Logs in one location only. If the SIEM is compromised or its storage fails, evidence is gone. Forward logs to at least two locations — the SIEM for analysis and immutable cold storage for retention.
SIEM admin = sysadmin. Everyone on the IT team has full SIEM admin access. Restrict the SIEM admin role to a small subset of security personnel — separate from the general IT team being logged.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.3.1 — Log Everything | Creates the audit records this requirement protects |
| 3.3.9 — Limit Who Manages Logs | Restricts who can configure logging — a subset of the access control here |
| 3.1.7 — No Shared Accounts for Admin | Shared admin accounts undermine the separation of duties needed for log protection |
| 3.3.4 — Alert When Logging Breaks | Detects when someone attempts to disable or tamper with logging |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: AU.L2-3.3.8 | SPRS Weight: 1 point | POA&M Eligible: Yes