Central Logging of Command Line Events
Track all command line actions by keeping a central log of every new process initiated via the command shell.
Plain language
Central logging of command line actions is about keeping a record of every new task a computer starts through typing commands. This matters because without these logs, unauthorised activities might go unnoticed, putting your important information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Official control statement
Command line process creation events are centrally logged.
Why it matters
Without central logging of command line process creation, attackers can run commands without trace, delaying detection, investigation and containment.
Operational notes
Forward command line process creation logs to a central SIEM and alert on suspicious parent/child process chains, unusual shells and admin tools.
Implementation tips
- IT team should set up a logging system: Use software that records every command line action on all networked computers. Ensure the software is compatible with your systems and regularly check it's capturing all relevant data.
- System administrators should monitor logs: Have designated staff regularly review the logs for any unusual or unauthorised activities. Set up alerts for certain types of actions that should be flagged for further investigation.
- Managers should ensure staff are trained: Organise basic training for staff to recognise the importance of command line security. Explain what actions on their part might be recorded and why it's crucial for protecting business assets.
- IT team should back up logs regularly: Implement a secure and automated process for backing up log data to prevent loss in case of system failures. Ensure backups are stored securely and can be easily restored if needed.
- Management should conduct periodic reviews: Schedule regular meetings to review the effectiveness of logging practices. Discuss any incidents detected through logs and update procedures to address any uncovered vulnerabilities.
Audit / evidence tips
-
Askthe logging software specifications: Request documentation showing what software is used for logging command line activities
Goodshows software that matches your system's needs and captures comprehensive activity logs
-
Aska sample log report: Request a copy of a typical command line activity report from the last month
Goodincludes clear, readable logs that track who made changes and when
-
Askthe training records: Request evidence of training sessions provided to staff about command line security
Goodincludes dated records showing active training programs tailored to staff roles
-
Askbackup procedures: Request the documented procedures for backing up log files
Goodincludes clear procedures with accountability for maintaining data integrity and confidentiality
-
Askincident review meetings: Request minutes or reports from meetings discussing log reviews and incidents
Goodshows regular evaluations and updates to security practices based on logs
Cross-framework mappings
How ISM-1889 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1889 requires a specific class of security-relevant logging: centrally recording command line process creation events | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-1889 requires central logging of command line process creation events to improve visibility of potentially suspicious execution behav... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML2.11 | ISM-1889 requires central logging of command line process creation events to provide visibility of command shell activity | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML3.5 | ISM-1889 requires that command line process creation events are centrally logged | |
| link Related (1) expand_less | ||
| E8-AH-ML2.12 | E8-AH-ML2.12 requires organisations to centrally log command line process creation events for monitoring and detection | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.