Audit and Accountability (AU)

Audit and accountability provides the means and mechanisms to relate specific system or

application level behavior to a certain individual. An individual can be held responsible for their behavior by linking user accounts to system activity. Audit capability includes defining who will be audited, what process or processes shall be used, the mechanisms or tools used, what

information shall be captured, who will review the information, the frequency of the review, and the archiving of audit data (referred to as audit trails or system logs).

In conjunction with the appropriate tools and procedures, auditing can assist in detecting security violations, performance problems, and application flaws. Audit data shall be of sufficient

granularity to support investigations in the event of a security incident and designed to support system reconstruction and recovery.

Policy: Audit and accountability activities provide Office of Personnel Management (OPM) with a means to independently and objectively evaluate the security status of its information systems and related processes. OPM System Owners (SO) shall:

• Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or

inappropriate information system activity; and

• Ensure that the actions of individual OPM users can be uniquely traced to those users so that they can be held accountable for their actions.

7.2.1 Audit and Accountability Policy and Procedures (AU-1)

The policies under this family are implemented with the OPM-wide Audit and Accountability Procedure. Operational audit and accountability procedures may be developed by program offices and operational groups where necessary. Audit and accountability procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.

7.2.2 Auditable Events (AU-2)

Auditable events are those activities that can be tracked that provide information regarding system resource usage. SOs shall generate audit logs that show the addition, modification, or deletion of information from an information system, called "events". Auditing activity can affect information system performance. Therefore, based upon risk assessment and current threat information, OPM shall decide which events require auditing on a continuous basis and which events require auditing in response to specific situations. The SO shall ensure:

• Based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: apply checklists and configuration guides from http://csrc.nist.gov/pcig/cig.html, which provide recommended lists of auditable events. The following are possible events to audit:

• Account creation, modification, disabling, and deletion

• Administrative permissions executed on user accounts (e.g., inclusion in access groups, reset of password, account lockout override)

• Administrative permissions executed on a system resources (e.g., addition of users or groups to access lists, creation of share points, creation of new access groups, change of access group permissions)

• Failed login attempts and account lockout

• Use of ‘su’, ‘pu’, ‘root’, and ‘administrator’, or equivalent accounts

• Activity log roll-over, deletion, or editing

• All computer-readable data extracts from databases containing Personally Identifiable Information (PII)

• Successful logins

• Coordination of the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events;

• A rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents is provided; and

• Based on current threat information and ongoing assessment of risk, the determination of what events are to be audited within the information system, and the frequency of each audit: SO will determine a subset of events to be audited along with the frequency of (or situation requiring) auditing for each identified event based on assessment of risk.

The SO shall ensure review and update of the list of auditable events at least annually.

(Moderate and High)

The SO shall ensure inclusion of execution of privileged functions in the list of events to be audited by the information system. (Moderate and High)

7.2.3 Content of Audit Records (AU-3)

The SO shall ensure the information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.

Audit record content that may be necessary to meet this requirement includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

System Owners (SOs) shall ensure information systems provide the capability to include more detailed audit log information by type, location, or subject when required to support

investigations. (Moderate and High)

The SO shall ensure central management of the content of audit records generated by individual components throughout the system. (High)

7.2.4 Audit Storage Capacity (AU-4)

The SO shall ensure allocation of audit record storage capacity and configure auditing to reduce the likelihood of the auditing storage capacity from being exceeded.

7.2.5 Response to Audit Processing Failures (AU-5) The SO shall ensure configuration of the information system to:

• Alert designated organizational officials in the event of an audit processing failure; and

• Take the following additional actions: continue logging by overwriting the oldest audit records.

The SO shall ensure configuration of the information system to provide a warning when allocated audit record storage volume reaches 80%of maximum capacity. The information system shall provide a real-time alert when an audit failure event occurs, such as the ability to log events. (High)

7.2.6 Audit Review, Analysis, and Reporting (AU-6) The SO shall ensure:

• Review and analysis of the information system audit records at a frequency equivalent to the Federal Information Processing Standard (FIPS) 199 security categorization for indications of inappropriate or unusual activity, and report findings to designated OPM officials.

• Adjustment of the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.

The SO shall ensure integration of audit review, analysis, and reporting processes to support OPM processes for investigation and response to suspicious activities. (High)

7.2.7 Audit Reduction and Report Generation (AU-7)

The SO shall ensure audit reduction and report generation capabilities. An audit reduction and report generation capability provides support for near real-time audit review, analysis, and reporting to support after-the fact investigations of security incidents. Audit reduction and reporting tools do not alter original audit records.

The information system shall provide the capability to automatically process audit records for events of interest based on selectable event criteria. (Moderate and High)

7.2.8 Time Stamps (AU-8)

The SO shall ensure information systems use internal system clocks to generate time stamps for audit records. Time stamps generated by the information system include both date and time.

The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

SOs shall synchronize internal information system clocks automatically with authoritative Network Time Protocol (NTP) servers. (Moderate and High)

7.2.9 Protection of Audit Information (AU-9)

The SO shall ensure protection of audit information and audit tools from unauthorized access, modification, and deletion. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information shall be protected while online and during offline storage.

7.2.10 Non-Repudiation (AU-10)

Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Non-repudiation protects users from being falsely accused of not completing an activity such as sending an email message or not signing an electronic document. Digital Signatures are one mechanism for ensuring non-repudiation. The digital signature can be used to prove to a recipient or third party that the originator did in fact sign the message.

The information system shall protect against an individual falsely denying having performed a particular action. (High)

7.2.11 Audit Record Retention (AU-11)

The SO shall ensure retention of information system audit records according to records disposition schedules established in Office of Personnel Management's (OPM) Records Management Handbook to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes retention and

availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated;

the National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal policy on record retention.

7.2.12 Audit Generation (AU-12)

System Owners shall ensure configuration of information systems to:

• Provide audit record generation capability for the list of auditable events defined in AU-2 at individual components throughout the system;

• Allow designated organizational personnel to select which auditable events are to be audited by specific components of the system; and

• Generate audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.

Information systems shall compile audit records from individual components throughout the system where logging is possible, into a system-wide (logical or physical) audit trail that is

time-correlated to within less than 1 second of National Institute of Standards and Technology (NIST) atomic clock servers. (High)