Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system generates audit records containing the following additional information: [FedRAMP Assignment: (M) Assignment: organization-defined additional, more detailed information; Parameter: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; (H) session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands].
AU-3 (1) Additional FedRAMP Requirements and Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
NIST 800-53 (r4) Supplemental Guidance:
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.
NIST 800-53 (r5) Discussion:
The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Provider's (CSP) audit logs are required to contain the following information;
Session, connection, transaction, or activity duration;
For client-server transactions, the number of bytes received, and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Audit records from each Cloud Service Offering (CSO) component, or sample size of each CSO component.
Ensure all audit logs from the CSO are capturing the following for CSO components;
Session, connection, transaction, or activity duration;
For client-server transactions, the number of bytes received, and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands.
Determine if a SIEM tool (Splunk, Greylog, ex) is utilized by the CSP to support all log aggregation.
Ensure all audit logs from the CSO are reporting to the SIEM tool and are capturing the following for CSO components;
Session, connection, transaction, or activity duration;
For client-server transactions, the number of bytes received, and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse