ECRG-1 Audit Reduction and Report Generation
Overview
Tools are available for the review of audit records and for report generation from audit records.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII MACIII | Low | Enclave Computing Environment |
Details
| Threat |
|---|
| The amount of information in audit logs can be very large and extremely difficult to analyze manually; important security related events could be overlooked. Audit review tools are available that can query the audit records by user ID, date/time, or some other set of parameters to run reports of selected information. |
| Guidance |
|---|
| 1. Determine if an audit reduction capability exists. This capability can be either OS provided or an add-on product. 2. Operating systems and applications shall have the capability to review audit records and generate reports from the audit records. Most operating systems and applications have built-in auditing capabilities, but if they don’t, a DOD approved auditing utility shall be acquired. Selection of the individual approved software should be determined by auditing capabilities, ease of use, administrative overhead, and system overhead, as well as enterprise or organizational policy on auditing requirements. 3. Operating systems typically provide at least the minimum tools and utilities to review audit records and generate reports. Microsoft Windows event viewer tracks all security events and can selectively review audit records, and the Solaris operating system uses the ‘praudit’ utility for audit reviews. |
References
- CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003
- NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
- CNSS 4013, National Training Standard for System Administrators in Information Security, March 2004