Title

The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information (Cat II impact)

Discussion

Requirement: The IAO will ensure that the auditing process records security relevant actions (e.g., the changing of security levels or categories of information). Security relevant actions such as the following should be recorded to provide an effective security audit process: - Logons and logouts - Excessive logon attempts/failures - Remote system access - Change in privileges or security attributes - Change of security levels or categories of information - Failed attempts to access restricted system privilege levels or data files - Audit file access (if possible) - Password changes - Device configuration changes The information that each audit record should have is as follows: - Date and time of the event - Origin of the request (e.g., terminal ID) - Unique ID of the user who initiated the event - Type of event - Success or failure - Description of modification to configurations

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-9043r1_rule

Vulnerability ID: V-8546

Group Title: Auditing does NOT record security events

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.