NIST 800-171 - Auditable Event Generation (3.3.1)

Overview:
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

Action Items:
3.3.1[a]
Determine if: audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.

3.3.1[b]
Determine if: the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.

3.3.1[c]
Determine if: audit records are created (generated).

3.3.1[d]
Determine if: audit records, once created, contain the defined content.

3.3.1[e]
Determine if: retention requirements for audit records are defined.

3.3.1[f]
Determine if: audit records are retained as defined.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Audit and accountability policy; procedures addressing auditable events; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing control of audit records; procedures addressing audit record generation; system audit logs and records; system auditable events; system incident reports; other relevant documents or records].

2
Interview: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; personnel with audit review, analysis and reporting responsibilities; system or network administrators].

3
Test: Mechanisms implementing system audit logging].

Related Documents (document name and content will vary by organization):
1) Audit and accountability policy
2) procedures addressing auditable events
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) procedures addressing control of audit records
7) procedures addressing audit record generation
8) system audit logs and records
9) system auditable events
10) system incident reports
11) other relevant documents or records

Additional Guidance:
An event is any observable occurrence in a system. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include, for example, password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.

Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).

Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs should be reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. NIST Special Publication 800-92 provides guidance on security log management.