Navigate

AU-6 (8)

AU-6 (8): Full Text Analysis Of Privileged Commands

The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

Supplemental

This control enhancement requires a distinct environment for the dedicated analysis of audit information related to privileged users without compromising such information on the information system where the users have elevated privileges including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and all parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes, for example, the use of pattern matching and heuristics.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Classified, Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-A, Int-B, Int-C

Related Controls

The controls below (if any) were marked by NIST as being related to AU-6 (8).

Control	Description
AU-3	The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-9	The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
AU-11	The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-12	The information system: AU-12a.: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; AU-12b.: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and AU-12c.: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Enhancements

The controls below (if any) add on to the requirements of AU-6 (8).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AU-6 (8).

CCI	Definition
CCI-001870	The organization performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.