Device Class 1: Content Of Audit Records

Control ID: AU-3 Content Of Audit Records Family: Audit and Accountability Source: NIST 800-53r4
Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Supplemental Guidance:
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

Related Controls: AU-2, AU-8, AU-12, SI-11
Control Enhancements:
(1) Content Of Audit Records | Additional Audit Information
The information system generates audit records containing the following additional information: [for each of a list of designated resources, a list of the processes that have accessed that resource along with the active user role at the time of access. The information system shall store the most recent access of each resource by each user role and may store records of more accesses. For a second list of designated resources, all the accesses within at least the last day (subject to storage capacity) with the exact commands used to access those resources and the user role in force at the time].
Supplemental Guidance: Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.
Related Controls: N/A
References: N/A
Mechanisms:

Any mechanism that meets the above requirements is acceptable.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
AU-3(1)/1 Maintain high-level access log for specified resources M
AU-3(1)/1.1 Store a list of resources whose access is logged in the high-level access log AU-3(1)/1:M
AU-3(1)/1.2 Implement role-based access such that only authorized users can modify resources that are logged in the high-level access log AU-3(1)/1:M
AU-3(1)/1.3 In the high-level access log, store the most recent access of each resource by each user role AU-3(1)/1:M
AU-3(1)/1.4 In the high-level access log, store information about accesses other than the most recent access of each resource by each user role AU-3(1)/1:M
AU-3(1)/1.4.1 Maximum number of recent accesses stored 2:M > 2:O
AU-3(1)/2 Maintain detailed access log for specified resources M
AU-3(1)/2.1 Store a list of resources whose access is logged in the detailed access log AU-3(1)/1:M
AU-3(1)/2.2 Implement role-based access such that only authorized users can modify the detailed access log AU-3(1)/1:M
AU-3(1)/2.3 In the detailed access log, store the exact command used for each access of each resource AU-3(1)/1:M