National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

AU-9 PROTECTION OF AUDIT INFORMATION

Family:
AU - AUDIT AND ACCOUNTABILITY
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
AU-9 AU-9 (4) AU-9 (2) (3) (4)

Control Description

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental Guidance

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

Related to: AC-3AC-6MP-2MP-4PE-2PE-3PE-6

Control Enhancements

AU-9(1) PROTECTION OF AUDIT INFORMATION | HARDWARE WRITE-ONCE MEDIA
The information system writes audit trails to hardware-enforced, write-once media.
Supplemental Guidance: This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media.
Related to: AU-4AU-5
AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
Supplemental Guidance: This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.
Related to: AU-4AU-5AU-11
AU-9(3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
Supplemental Guidance: Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
Related to: AU-10SC-12SC-13
AU-9(4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.
Related to: AC-5
AU-9(5) PROTECTION OF AUDIT INFORMATION | DUAL AUTHORIZATION
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
Supplemental Guidance: Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control.
Related to: AC-3MP-2
AU-9(6) PROTECTION OF AUDIT INFORMATION | READ ONLY ACCESS
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
Supplemental Guidance: Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity).

References

None.