AU-9: Protection of Audit Information
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AU-9: Protection Of Audit Information
Control Statement
- Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
- Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.
Supplemental Guidance
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
Control Enhancements
AU-9(1): Hardware Write-once Media
Baseline(s):
Write audit trails to hardware-enforced, write-once media.
AU-9(2): Store on Separate Physical Systems or Components
Baseline(s):
- High
Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.
AU-9(3): Cryptographic Protection
Baseline(s):
- High
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
AU-9(4): Access by Subset of Privileged Users
Baseline(s):
- Moderate
- High
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles].
AU-9(5): Dual Authorization
Baseline(s):
Enforce dual authorization for [Assignment (one or more): movement, deletion] of [Assignment: organization-defined audit information].
AU-9(6): Read-only Access
Baseline(s):
Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].
AU-9(7): Store on Component with Different Operating System
Baseline(s):
Store audit information on a component running a different operating system than the system or component being audited.