UCF STIG Viewer Logo

AU-9 PROTECTION OF AUDIT INFORMATION


Overview

Number Title Impact Priority Subject Area
AU-9 Protection Of Audit Information LOW P1 Audit And Accountability

Instructions
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Guidance
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

Enhancements
AU-9 (1) Hardware Write-Once Media
This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media.

The information system writes audit trails to hardware-enforced, write-once media.

AU-9 (2) Audit Backup On Separate Physical Systems / Components HIGH
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

The information system backs up audit records Assignment: organization-defined frequency onto a physically different system or system component than the system or component being audited.

AU-9 (3) Cryptographic Protection HIGH
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

AU-9 (4) Access By Subset Of Privileged Users MODERATE
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

The organization authorizes access to management of audit functionality to only Assignment: organization-defined subset of privileged users.

AU-9 (5) Dual Authorization
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control.

The organization enforces dual authorization for Selection (one or more): movement; deletion of Assignment: organization-defined audit information.

AU-9 (6) Read Only Access
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity).

The organization authorizes read-only access to audit information to Assignment: organization-defined subset of privileged users.