Device Class 3: Response To Audit Processing Failures

Control ID: AU-5 Response To Audit Processing Failures Family: Audit and Accountability Source: NIST 800-53r4
Control: The information system:
  1. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
  2. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g.,
  3. shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance:
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Related Controls: AU-4, SI-12
Control Enhancements:
(1) Response To Audit Processing Failures | Audit Storage Capacity
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.
Supplemental Guidance: Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.
Related Controls: N/A

(2) Response To Audit Processing Failures | Real-time Alerts
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
Supplemental Guidance: Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
Related Controls: N/A
References: N/A
Mechanisms:

  • Device shall support the identification of a device management service to which audit processing failures shall be reported if connectivity is available.
  • The ability to alter the device management service shall be restricted to privileged users per AC-3.
  • Device shall identify information flows to the device management service as a secured information flow per AC-4 and shall protect those information flows with an approved mechanism per SC-8.
  • Device shall report audit processing failure to the device management service if it has connectivity when the audit processing failure occurs.
  • Device may maintain a backup logging service to be used to record failures in the audit processing service.
  • Device shall reboot its audit processing service and thereafter attempt to start processing again on a failure. If no successful audit processing occurs over three reboot attempts, device shall log a report via a different mechanism and suspend auditing.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
AU-5/1 Support identification of device management services M
AU-5/2 Restrict the ability to alter the device management service to privileged users M AC-3
AU-5/3 Secure information flows to device management services M SC-8
AU-5/4 Report audit processing failures to device management services if one is identified and if connectivity is available at the time the audit processing failure occurs M
AU-5/5 Maintain separate logging service for the purposes of logging failures in audit processing service and log those failures when appropriate O
AU-5/5 Support reboot of audit processing service on failure M
AU-5/6 Suspend attempts to reboot audit processing service after three failures in a row with no successful audit intervening M
AU-5(1)/6 Provides a warning to device administrator when audit record storage reaches 90% of maximum. M Define mechanism
AU-5(2)/7 Provides an alert within 5 seconds to device operator for any audit failure. M Define mechanism
AU-5(2)/8 Provides an alert within 10 seconds to device administrator for any audit failure; conditional on connectivity to administrator O Define mechanism