Title

The auditing records do not record activities that may change, bypass, or negate safeguards built into the software. (Cat II impact)

Discussion

Requirement: The IAO will ensure that the auditing process records commands, actions, and activities executed during each session that might change, bypass, or negate safeguards built into the software. Actions that have the potential to change, bypass, or negate safeguards must be recorded in the audit files. This will identify suspicious activities that are being investigated and will assist investigators in following the course of events that have led to a situation that is being examined.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Ensure that the system records commands, actions, and activities executed during each user session that might change, bypass, or negate safeguards built into the software.

Additional Identifiers

Rule ID: SV-8462r1_rule

Vulnerability ID: V-7976

Group Title: Auditing does not record security bypass

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.