Navigate

AU-5

AU-5: Response to Audit Logging Process Failures

a: Alert [personnel or roles receiving audit logging process failure alerts are defined;] within [time period for personnel or roles receiving audit logging process failure alerts is defined;] in the event of an audit logging process failure; and

b: Take the following additional actions: [additional actions to be taken in the event of an audit logging process failure are defined;].

Supplemental

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (high), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AU-5.

Control	Description
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-4	Allocate audit log storage capacity to accommodate [audit log retention requirements are defined;].
AU-7	Provide and implement an audit record reduction and report generation capability that: a: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b: Does not alter the original content or time ordering of audit records.
AU-9	a: Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b: Alert [personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;] upon detection of unauthorized access, modification, or deletion of audit information.
AU-11	Retain audit records for [a time period to retain audit records that is consistent with the records retention policy is defined;] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
AU-12	a: Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;]; b: Allow [personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;] to select the event types that are to be logged by specific components of the system; and c: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).
AU-14	a: Provide and implement the capability for [users or roles who can audit the content of a user session are defined;] to [one or more of "record"/"view"/"hear"/"log"] the content of a user session under [circumstances under which the content of a user session can be audited are defined;] ; and b: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-12	Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Enhancements

The controls below (if any) add on to the requirements of AU-5.

Control	Description
AU-5(1)	Provide a warning to [personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity.] within [time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;] when allocated audit log storage volume reaches [percentage of repository maximum audit log storage capacity is defined;] of repository maximum audit log storage capacity.
AU-5(2)	Provide an alert within [real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;] to [personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;] when the following audit failure events occur: [audit logging failure events requiring real-time alerts are defined;].
AU-5(3)	Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [one or more of "reject"/"delay"] network traffic above those thresholds.
AU-5(4)	Invoke a [one or more of "full system shutdown"/"partial system shutdown"/"degraded operational mode with limited mission or business functionality available"] in the event of [audit logging failures that trigger a change in operational mode are defined;] , unless an alternate audit logging capability exists.
AU-5(5)	Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;].

Related CCIs

The CCIs below are tied to AU-5.

CCI	Definition
CCI-000139	Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.
CCI-000140	Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
CCI-001490	Defines the actions to be taken by the system upon audit failure, including shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
CCI-001572	Defines the personnel or roles to be alerted in the event of an audit logging process failure.
CCI-003814	Defines the time-period for the alert in the event of an audit process failure.