An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.  Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures.  Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).  Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.  [SP 800-92] provides guidance on security log management. 

Priority: High  

Category:  Situational Awareness 

Services Associated with AWS:  

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific
  • secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of logs from SIEM

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM)

What needs to be answered :  

Does the company create, protect, and retain system audit records for between 30 days and year to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity? Are there alert functions? Does the company review these audit records? 

  • Establish System Audit Log and Record Retention
    Description: This check ensures that organizations create and retain system audit logs and records to the extent necessary for monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit logs capture significant and relevant event types, including password changes, failed logons, administrative privilege usage, and third-party credential usage. The logs contain essential information such as time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access/control rules invoked. The retention period aligns with the organization's auditing needs and regulatory requirements.
  • Define Event Types for Logging
    Description: This check verifies that organizations have identified event types that require logging, based on their significance and relevance to system security. Event types are determined to meet specific auditing needs and can include actions related to CUI security requirements. Organizations strike a balance between monitoring and auditing needs and other system performance considerations.
  • Ensure Appropriate Level of Abstraction in Audit Records
    Description: This check ensures that audit records are generated at the appropriate level of abstraction, enabling effective root cause analysis and problem identification. The level of abstraction should capture necessary details, including packet-level information for network events. Organizations consider distributed processes and actions in service-oriented or cloud-based architectures when defining event types for logging.
  • Regularly Review and Analyze Audit Logs
    Description: This check verifies that audit logs are reviewed and analyzed regularly to provide critical information for risk-based decision-making. The frequency of review and analysis is determined by organizational needs. The analysis includes extracting relevant insights, detecting patterns, and identifying potential unauthorized or unlawful system activities.

More Details:   

Logging systems in place supported by company policies regarding 90 day retention and periodic review.