AU 12 AUDIT RECORD GENERATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [ Assignment: organization-defined system components ];
• b. Allow [ Assignment: organization-defined personnel or roles ] to select the event types that are to be logged by specific components of the system; and
• c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

Discussion: Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

Related Controls: AC-6, AC-17, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-14, CM-5, MA-4, MP-4, PM-12, SA-8, SC-18, SI-3, SI-4, SI-7, SI-10.

Control Enhancements:

• (1) AUDIT RECORD GENERATION | SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL
  Compile audit records from [ Assignment: organization-defined system components ] into a system-wide (logical or physical) audit trail that is time-correlated to within [ Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail ].

  Discussion: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

  Related Controls: AU-8, SC-45.

• (2) AUDIT RECORD GENERATION | STANDARDIZED FORMATS
  Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

  Discussion: Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails.

  Related Controls: None.

• (3) AUDIT RECORD GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS
  Provide and implement the capability for [ Assignment: organization-defined individuals or roles ] to change the logging to be performed on [ Assignment: organization-defined system components ] based on [ Assignment: organization-defined selectable event criteria ] within [ Assignment: organization-defined time thresholds ].

  Discussion: Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).

  Related Controls: AC-3.

• (4) AUDIT RECORD GENERATION | QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE INFORMATION
  Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

  Discussion: Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel.

  Related Controls: None.

References: None.