Introduction
NIST Special Publication 800-53 provides a comprehensive set of controls to protect information systems within federal agencies and their contractors. Among these controls, AU-2 mandates that organizations define the event types to be logged for each information system. For organizations operating within the Defense Industrial Base (DIB), compliance with AU-2 is defined by the Defense Counterintelligence and Security Agency (DCSA) through the DCSA Assessment and Authorization Process Manual (DAAPM).
Purpose and Scope
This whitepaper details the specific event categories that sites within the DIB must monitor, as well as best practices for auditing these events. It also introduces a solution, PowerStrux Windows Auditor (PowerStruxWA), that simplifies compliance with these stringent logging requirements.
Mandatory Event Categories for Logging
To ensure compliance with NIST SP 800-53 AU-2, organizations must conduct thorough system audits. At a minimum, the following categories of events must be logged:
- Authentication Events:
- Logons (Success/Failure)
- Logoffs (Success)
- Security-Relevant File and Object Events:
- Create (Success/Failure)
- Access (Success/Failure)
- Delete (Success/Failure)
- Modify (Success/Failure)
- Permission Modification (Success/Failure)
- Ownership Modification (Success/Failure)
- Export/Writes/Downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)
- Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)
- User and Group Management Events:
- User Add, Delete, Modify, Disable, Lock (Success/Failure)
- Group/Role Add, Delete, and Modify (Success/Failure)
- Use of Privileged/Special Rights Events:
- Security or Audit Policy Changes (Success/Failure)
- Configuration Changes (Success/Failure)
- Admin or Root-Level Access (Success/Failure)
- Privilege/Role Escalation (Success/Failure)
- Audit and Security-Relevant Log Data Accesses (Success/Failure)
- System Reboot, Restart, and Shutdown (Success/Failure)
- Print to a Device (Success/Failure)
The Role of Information System Security Officers (ISSO)
Information System Security Officers (ISSO) bear the responsibility of performing weekly reviews of system event logs to detect and investigate suspicious activity. However, traditional tools, such as Microsoft’s Event Viewer, can make this process cumbersome and error-prone, increasing the risk of overlooking critical events.
Streamlining AU-2 Compliance with PowerStrux Windows Auditor (PowerStruxWA)
To address the challenges associated with manual log reviews, the PowerStrux Windows Auditor (PowerStruxWA) has been developed. This tool is specifically designed to streamline the process of reviewing audit logs by automatically categorizing them into intuitive dashboards. These dashboards are directly aligned with the AU-2 requirements, allowing ISSOs to quickly and efficiently identify and address potential security concerns.
Conclusion
Compliance with NIST SP 800-53 AU-2 is critical for organizations within the DIB, not only to meet regulatory requirements but also to protect the integrity of their information systems. By implementing a robust logging strategy and leveraging tools like PowerStruxWA, organizations can enhance their security posture and ensure that their logging and auditing processes are both effective and efficient.
For a free trial of PowerStruxWA, please reach out to our sales team or visit our PowerStrux Page.