Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
NIST 800-53 (r4) Supplemental Guidance:
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11.
References: None.
NIST 800-53 (r5) Discussion:
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.
38North Guidance:
Meets Minimum Requirement:
This control ensures the Cloud Service Provider (CSP) Cloud Service Offering (CSO) is capable of producing audit trail data with sufficient detail to provide accountability of individual actions, can reconstruct events that took place, is able to monitor system problems and captures intrusion detection events. The content of the logs, at a minimum, should establish the type of event that occurred, the date and time of the event, where in the system the event occurred, should identify the source of the event, identify if the event was a success or failure and identify any user/subject associated to the event in question.
Best Practice:
Ensure CSO components are mapped to a CSO Network Time Protocol (NTP) server to synchronize time across the CSO. Furthermore, make sure the NTP server is mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) to provide consistent/accurate time-stamps within your audit logs.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Audit records from each CSO component, or sample size of each CSO component.
Ensure all audit logs from the CSO are capturing the time and date of the event, the type of event, where it occurred, the outcome and identify the individuals or subjects.
Determine if a SIEM tool is utilized by the CSP to support all log aggregation.
Ensure all audit logs from the CSO are reporting to the SIEM tool and are capturing the time and date of the event, the type of event, where it occurred, the outcome and identify the individuals or subjects.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse