CCI-000123

Identify the organization-defined event types that the system is capable of logging in support of the audit function.

Implementation Guidance

The organization being inspected/assessed determines whether the information system is capable of auditing: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. The organization must document those auditable events that are not captured. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documentation of the auditable events to ensure the information system is capable of auditing the: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart.

Compelling Evidence

1.) Signed and dated audit and accountability policy 2.) Defined list of auditable events 3.) Sample of logged events

The controls below (if any) were marked by NIST as being related to CCI-000123.