NIST 800-53 AU-2

Auditable Events

Return to master list of NIST 800-53 controls.

Automated Inspection items for NIST SP 800-53 AU-2 assessment.

Automated Inspection items are efficient enough that they can usually be part of a CA-7 Continuous Monitoring program on a daily (or in some cases hourly) basis, simultaneously meeting the requirements of RA-5 Vulnerability Scanning. While NIST 800-53 allows Continuous Monitoring results to be used for CA-2 Security Assessments and CA-4 Security Certification, a separate run using the same automated Inspection items in combination with more laborious items for CA-2 and CA-4 adds no significant burden.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide automated Inspection items as follows:

NIST SP 800-53 R2 AU-2
Description  Automated Tests
Auditing based on Audit Access Control Entries is enabled for the system.
(AUDIT,ACL,AUPROHIBIT)
(AUDIT,ACL,AUREQUIRE)
Auditing for Break-in events is enabled for all relevant login types.
(AUDIT,BREAKIN,AUPROHIBIT)
(AUDIT,BREAKIN,AUREQUIRE)
Auditing of Authorization events is enabled.
(AUDIT,AUTHORIZE,AUPROHIBIT)
(AUDIT,AUTHORIZE,AUREQUIRE)
Auditing of Connection events is enabled.
(AUDIT,CONNECT,AUPROHIBIT)
(AUDIT,CONNECT,AUREQUIRE)
Auditing of Failed Use of Privilege is enabled.
(AUDIT,PRVFAIL,AUPROHIBIT)
(AUDIT,PRVFAIL,AUREQUIRE)
Auditing of Forced Image Exits based on Privilege is enabled.
(AUDIT,PRCFORCEX,AUPROHIBIT)
(AUDIT,PRCFORCEX,AUREQUIRE)
Auditing of Granting Identifiers to a Process based on Privilege is enabled.
(AUDIT,PRCGRANT,AUPROHIBIT)
(AUDIT,PRCGRANT,AUREQUIRE)
Auditing of Installation events is enabled.
(AUDIT,INSTALL,AUPROHIBIT)
(AUDIT,INSTALL,AUREQUIRE)
Auditing of Login Failure events is enabled for all relevant login types.
(AUDIT,LOGFAIL,AUPROHIBIT)
(AUDIT,LOGFAIL,AUREQUIRE)
Auditing of Login Success events is enabled for all relevant login types.
(AUDIT,LOGIN,AUPROHIBIT)
(AUDIT,LOGIN,AUREQUIRE)
Auditing of Logout events is enabled for all relevant login types.
(AUDIT,LOGOUT,AUPROHIBIT)
(AUDIT,LOGOUT,AUREQUIRE)
Auditing of Mount events is enabled.
(AUDIT,MOUNT,AUPROHIBIT)
(AUDIT,MOUNT,AUREQUIRE)
Auditing of Network Configuration is enabled.
(AUDIT,NCP,AUPROHIBIT)
(AUDIT,NCP,AUREQUIRE)
Auditing of Other Successful Use of Privilege is enabled.
(AUDIT,PRVSUCC,AUPROHIBIT)
(AUDIT,PRVSUCC,AUREQUIRE)
Auditing of Persona Creation is enabled.
(AUDIT,PSBCREATE,AUPROHIBIT)
(AUDIT,PSBCREATE,AUREQUIRE)
Auditing of Persona Deletion is enabled.
(AUDIT,PSBDELETE,AUPROHIBIT)
(AUDIT,PSBDELETE,AUREQUIRE)
Auditing of Persona Modification is enabled.
(AUDIT,PSBMODIFY,AUPROHIBIT)
(AUDIT,PSBMODIFY,AUREQUIRE)
Auditing of Process Deletions is enabled.
(AUDIT,PRCDELPRC,AUPROHIBIT)
(AUDIT,PRCDELPRC,AUREQUIRE)
Auditing of Revoking Identifiers from a Process based on Privilege is enabled.
(AUDIT,PRCREVOKE,AUPROHIBIT)
(AUDIT,PRCREVOKE,AUREQUIRE)
Auditing of Setting Process Priority based on Privilege is enabled.
(AUDIT,PRCSETPRI,AUPROHIBIT)
(AUDIT,PRCSETPRI,AUREQUIRE)
Auditing of Setting System Time is enabled.
(AUDIT,SYSTIME,AUPROHIBIT)
(AUDIT,SYSTIME,AUREQUIRE)
Auditing of System Parameter Modification is enabled.
(AUDIT,SYSGEN,AUPROHIBIT)
(AUDIT,SYSGEN,AUREQUIRE)
Auditing of access via DOWNGRADE privilege is enabled for all access types.
(AUDIT,DOWNGRADE,AUPROHIBIT)
(AUDIT,DOWNGRADE,AUREQUIRE)
Auditing of access via READALL privilege is enabled for all access types.
(AUDIT,READALL,AUPROHIBIT)
(AUDIT,READALL,AUREQUIRE)
Auditing of access via UPGRADE privilege is enabled for all access types.
(AUDIT,UPGRADE,AUPROHIBIT)
(AUDIT,UPGRADE,AUREQUIRE)
Auditing of access via the BYPASS privilege is enabled for all access types.
(AUDIT,BYPASS,AUPROHIBIT)
(AUDIT,BYPASS,AUREQUIRE)
Auditing of access via the GRPPRV privilege is enabled for all access types.
(AUDIT,GRPPRV,AUPROHIBIT)
(AUDIT,GRPPRV,AUREQUIRE)
Auditing of access via the SYSPRV privilege is enabled for all access types.
(AUDIT,SYSPRV,AUPROHIBIT)
(AUDIT,SYSPRV,AUREQUIRE)
Auditing of failed access is enabled for all access types.
(AUDIT,FAILURE,AUPROHIBIT)
(AUDIT,FAILURE,AUREQUIRE)
Auditing of ill-formed audit calls is enabled.
(AUDIT,AUDILLFOR,AUPROHIBIT)
(AUDIT,AUDILLFOR,AUREQUIRE)
Auditing of modifications to the audit settings is enabled.
(AUDIT,AUDIT,AUPROHIBIT)
(AUDIT,AUDIT,AUREQUIRE)
Auditing of use of an Identifier as a privilege is enabled.
(AUDIT,IDENT,AUPROHIBIT)
(AUDIT,IDENT,AUREQUIRE)
The Audit Server is running.
(AUDIT,SERVER,PROHIBITED)
(AUDIT,SERVER,REQUIRED)
NIST SP 800-53 R2 AU-2(3)
Description  Automated Tests
The organization periodically updates the list of organization-defined auditable events.
(VMS,POLICY,AUDEVTDAYS)

Interview questions for NIST SP 800-53 AU-2 assessment.

Interview questions are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Interview questions in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AU-2(3)
AUDSTAFF

Manual Inspection items for NIST SP 800-53 AU-2 assessment.

Manual Inspection items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Inspection items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AU-2
AUDIT
POLICY
NIST SP 800-53 R2 AU-2(1)
ASSESSMENT
NIST SP 800-53 R2 AU-2(2)
ASSESSMENT

Manual Invasive Testing items for NIST SP 800-53 AU-2 assessment.

Manual Invasive Testing items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring. The level of effort required and the degree of invasiveness are so high (in most cases making up for lack of Common Criteria evaluation) that arrangement as a Common Control is almost always a requirement for execution.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Invasive Testing items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AU-2
TEST_VMS_AUDEVT
NIST SP 800-53 R2 AU-2(1)
TEST_VMS_AUDTIME
NIST SP 800-53 R2 AU-2(2)
TEST_VMS_AUDENABLE

Descriptions above apply to  LJK/Security™ Version 3.0.

The notation NIST SP 800-53 above refers in particular to NIST Special Publication 800-53 Revision 2.

Those NIST Special Publications specify security standards in support of FISMA for US Federal Government civil activities.

Return to master list of NIST 800-53 controls.

Valid HTML 4.01! Viewable with Any Browser