The COE Platform implementation shall provide the capability to create, maintain, process, and
protect from modification or unauthorized access or destruction an
audit trail of accesses to the objects it protects.
3.2.3.1.1
The COE Platform implementation shall protect audit data so that access to it is limited to
those who are authorized to view audit data.
3.2.3.1.2
The COE Platform implementation shall protect the audit processes and audit data from change or
deletion by general users. At a minimum, the COE Platform implementation shall protect the
following:
3.2.3.1.2.1
Audit mechanisms (for example, executable files).
3.2.3.1.2.2
Configuration parameters (for example, audit configuration files).
3.2.3.1.2.3
Capability to enable or disable audit processes.
3.2.3.1.3
The COE Platform implementation shall provide a mechanism that generates a notification when
the audit data has reached a configurable threshold of
n
percent of available storage capacity.
3.2.3.1.3.1
The COE Platform implementation shall be configurable by a trusted user to provide a capability
for recovery in the event that the threshold
n
percent of available storage capacity has been exceeded. At a minimum,
the following capabilities shall be provided:
3.2.3.1.3.1.2
Overwrite the oldest audit data.
3.2.3.1.3.1.4
Increase storage capacity for audit data.
Minimal compliance is satisfied by the ability to increase capacity
manually via the Log File Manager.
3.2.3.1.3.2
The COE Platform implementation shall provide an interface for configuring which trusted user
shall receive notifications when the audit data has reached the
threshold
n
percent of available storage capacity.
3.2.3.1.3.3
The COE Platform implementation shall provide the capability for a trusted user to configure
the threshold
n
percent of available storage capacity when a notification will be
generated.
3.2.3.1.3.3.1
The default threshold
n
shall be 85 percent.
3.2.3.1.4
The COE Platform implementation shall provide a mechanism that generates a notification to a
trusted user when the audit process(es) has failed.
3.2.3.1.4.2
The COE Platform implementation shall provide an interface for configuring which trusted user
shall receive notifications when the audit process(es) has failed.
3.2.3.1.5
The COE Platform implementation shall provide a capability to archive and selectively retrieve
audit data.
Minimal compliance is satisfied using commands (that is,
tar,
dd,
and so on) at a command line. Neither a GUI nor automation is
required.
3.2.3.1.5.1
The COE Platform implementation shall provide the capability to automatically archive audit
data when the audit data reaches a configurable threshold of
n
percent of available storage capacity.
Minimal compliance is satisfied using commands (that is,
tar,
dd,
and so on) at a command line. Neither a GUI nor automation (via Cron)
is required.
3.2.3.1.5.4
The COE Platform implementation shall provide a mechanism that generates a time configurable
notification to remind a trusted user (for example, a system
administrator) to perform audit archive.
3.2.3.1.5.4.1
The COE Platform implementation shall provide a GUI for a trusted user to configure the time,
represented as every
n
hours.
3.2.3.1.5.4.2
The default threshold
n
shall be every 168 hours.
3.2.3.2
The COE Platform implementation shall provide the capability to enable and disable auditable
events.
3.2.3.3
The COE Platform implementation shall provide the capability to audit the following types of
events:
3.2.3.3.1
Use of identification and authentication mechanisms.
3.2.3.3.2
Introduction of designated objects into a user's address space (for
example, file open, program initiation).
3.2.3.3.3
Creation, modification, and deletion of designated objects.
3.2.3.3.4
Actions taken by trusted users.
3.2.3.3.7
Change in access control permissions.
3.2.3.3.9
System startup.
3.2.3.3.10
System shutdown.
3.2.3.4
The COE Platform implementation shall provide the capability for a trusted user to define
security-relevant events.
3.2.3.5
For each recorded event, the COE Platform implementation shall identify in the audit record
at least the following:
3.2.3.5.1
System date and time (to the nearest second) of the event.
3.2.3.5.2
User ID.
3.2.3.5.3
Type of event.
3.2.3.5.4
Success or failure of the event.
3.2.3.6
For identification and authentication events, the audit record shall
identify the origin of the request (for example, terminal ID, host IP
address).
3.2.3.10
The COE Platform implementation shall provide the capability to receive application-level audit
data (for example, the UNIX
syslog
logging facility, Windows NT event log).
3.2.3.11
The COE Platform implementation shall provide the capability to generate reports of audit data
that has been collected.
3.2.3.11.1
The COE Platform implementation shall provide the capability to generate reports based on
fields in event records or Boolean combinations of those fields.
3.2.3.11.2
The COE Platform implementation shall provide the capability to generate reports based on
ranges of system date and time that audit records were collected.