Navigate

CCI-000123

CCI-000123 Definition

The organization determines the information system must be capable of auditing an organization-defined list of auditable events.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed determines whether the information system is capable of auditing: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. The organization must document those auditable events that are not captured. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documentation of the auditable events to ensure the information system is capable of auditing the: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart.

Compelling Evidence

1.) Signed and dated audit and accountability policy 2.) Defined list of auditable events 3.) Sample of logged events

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000123.

Control	Description
AU-2	The organization: AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Control

Description

AU-2

The organization:

AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].