03.03.02: Audit Record Content

Control Familly: Audit and Accountability

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.03.02

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • AU-03

  • AU-03(01)

a. Include the following content in audit records:

1. What type of event occurred

2. When the event occurred

3. Where the event occurred

4. Source of the event

5. Outcome of the event

6. Identity of the individuals, subjects, objects, or entities associated with the event

b. Provide additional information for audit records as needed.

Discussion:

Audit record content that may be necessary to support the auditing function includes time stamps, source and destination addresses, user or process identifiers, event descriptions, file names, and the access control or flow control rules that are invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations consider in audit records may include a full text recording of privileged commands or the individual identities of group account users.

Assessment Methods and Objectives

Examine [SELECT FROM: audit and accountability policy and procedures; procedures for the content of audit records; list of organization-defined auditable events; system design documentation; system configuration settings; system audit records; system incident reports; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with audit and accountability responsibilities; personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: mechanisms for implementing system auditing of auditable events; system audit capability]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.03.02.a.01: audit records contain information that establishes what type of event occurred.

A.03.03.02.a.02: audit records contain information that establishes when the event occurred.

A.03.03.02.a.03: audit records contain information that establishes where the event occurred.

A.03.03.02.a.04: audit records contain information that establishes the source of the event.

A.03.03.02.a.05: audit records contain information that establishes the outcome of the event.

A.03.03.02.a.06: audit records contain information that establishes the identity of the individuals, subjects, objects, or entities associated with the event.

A.03.03.02.b: additional information for audit records is provided, as needed.