S 4.302 Logging on printers, copiers, and all-in-one devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The activity on printers, copiers, and all-in-one devices should be monitored and logged for many reasons. On the one hand, logging can be used to detect and eliminate potential weaknesses early on when activated. On the other hand, logging can also serve to detect security policy violations (see S 2.398 User guidelines for handling printers, copiers, and all-in-one devices) or to investigate a security incident. In addition, monitoring can usually also be used to determine when consumables need to be refilled.

At least the following primary questions relating to logging on printers, copiers, and all-in-one devices should be answered:

• What information should be logged?
• How should logging be performed?
• Who is authorised and/or responsible for evaluating the logs?
• How and when will the logs be evaluated?
• Who will be informed when certain events occur?
• How long must/can the log data be stored and how will the log data be deleted?

You must carefully select the information to be logged. If too much information is stored, important events may be overlooked during evaluation of the logs. If too little is logged, then it is possible that important information is not recorded.

From a security perspective, the following events have shown themselves to be particularly relevant for logging. The list is in descending order based on priority:

• Changes to the configuration settings must always be logged.
• Failed authentication procedures and, when a higher protection level is required, successful authentication procedures as well should be logged. This applies to local logins as well as to accesses over the network.
• The system resources and values measured for operational reliability should always be monitored for critical values. This includes, for example, information on the temperature, current load, and the amount of storage space available.
• To avoid supply bottlenecks, information on the consumption of paper and toner should be logged and evaluated.
• Records of who printed documents at what time or of who used the device can also be recorded, if necessary.

Depending on the device and application, it may make sense when specifying the scope of the logging to remove some of these events or monitor additional events, for example when the device was switched on or off. The scope of the logging depends in practical applications on the extent to which the particular type of device technically supports the logging of the various events.

After specifying what information should be logged, it must be clarified where the log data will be stored. If possible, a central logging server should be used for this purpose. Otherwise the log files must be stored locally on the individual devices.

When recording logs for networked IT systems, the times on the systems should be synchronised. This enables reliable synchronisation of any events with the information logged by the other systems for the purpose of comparison (see M 4.227 Use of a local NTP server for time synchronisation).

Log data not only needs to be stored, but systematically evaluated as well. In this case as well, it is important to specify who is responsible and which procedure needs to be followed. Recommendations can be found in S 2.64 Checking the log files.

If unexpected or unusual events are found in the logs, then appropriate action must be taken. A large number of incorrect authentication attempts can indicate an attack or point out users who have not been properly instructed. However, even normal events can necessitate a reaction. For example, if the fill level of a consumable material drops below a certain minimum, then new supplies must be obtained promptly. For this reason, the responsible administrator or the person responsible for consumables must be informed immediately.

If personal data are archived, the applicable laws and regulations must be followed. These include, above all, the German Federal Data Protection Act (BDSG) and the corresponding state laws. You will find more information in S 2.110 Data protection guidelines for logging procedures.

Review questions:

• Are the activities on printers, copiers, and all-in-one devices logged in a suitable manner?
• Will data protection aspects be taken into account during evaluation?
• Is it ensured that all devices have the correct system time?