-
Notifications
You must be signed in to change notification settings - Fork 15
/
au_low_impact_pri1.yaml
255 lines (192 loc) · 10.3 KB
/
au_low_impact_pri1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
id: au_low_impact_pri1
name: NIST 800-53 AU Low Impact Priority 1
milestone: Audit and Accountability
issues:
- title: As the CIO, I want to document and communicate our organization's approach and priorities for having a reliable audit trail of transactions in our IT systems.
body: |
*Why:*
Logging various transactions in our IT systems is how we can later audit activity for things that went wrong and for malicious actions. Without audit trail we won't have a record of interactions with the system.
*How:*
* Define roles in addition to ISSO or ISSM that the audit and accountability policy is to be disseminated to. (State if there are no additional roles)
* Define roles in addition to ISSO or ISSM that the audit and accountability procedures are to be disseminated to. (State if there are no additional roles)
* Ensure that the audit accountability policy and procedures are disseminated
* Define frequency at which to review and update the audit and accountability policy and procedures (Annually).
* Maintain audit trail of reviews and updates.
*Acceptance Criteria / Evidence:*
* List of personnel to whom accountability policy and procedures are to be disseminated
* Audit and accountability policy
* Audit and accountability policy version update page
* Audit and accountability policy audit trail of reviews and updates
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-1
labels:
- AU
- AU-1
- security
- compliance
- title: As the CISO, I need to know that our there is a reliable systems for collecting audit trail information, and I need to periodically review these audit trails to ensure that the systems are working properly.
body: |
*Why:*
In the event of a security incidents, we need to be able to investigate the source and potential scope of the breach.
*How:*
* Work across organizations to develop a list of audit events. Examples include:
* Password changes
* Successful and unsuccessful login attempts
* Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information
* Administrative privilege usage or other system level access
* Starting and ending time for user access to the system
* Concurrent logins from different workstations
* Account creations, modifications, disabling, and terminations
* Kernel module load, unload, and restart
* Third-party credential usage
* Define the frequency of (or situation requiring) auditing for each audit event.
* Develop a rationale for why the list of audit events is deemed to be adequate to support after-the-fact investigations of security incidents.
*Acceptance Criteria / Evidence:*
* List of audit events
* Frequency that each event will be audited to ensure data is being properly collected
* Rationale for why the list of audit events is complete
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-2
labels:
- AU
- AU-2
- security
- compliance
- title: As the CISO, I need to know that our audit records are complete.
body: |
*Why:*
If our audit records do not contain all of the necessary content, we will not be able to properly investigate a potential breach.
*How:*
* Review each audit trail record to ensure that it contains all necessary information.
*Acceptance Criteria / Evidence:*
* What type of event occurred
* When the event occurred
* Where the event occurred
* The source of the event
* The outcome of the event
* The identity of any individuals or subjects associated with the event
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-3
labels:
- AU
- AU-3
- security
- compliance
- title: As the CIO, I want there to be sufficient server storage for audit records.
body: |
*Why:*
We don’t want to lose critical audit records because storage capacity was exceeded.
*How:*
* Check organization Audit Policy for time range of audit records to be saved (e.g., 6 month, 1 year, etc.)
* Estimate the storage required for the information system to store the required time period of logs
* Allocate the storage for the logs. One strategy is to copy audit records from system to secondary storage system to avoid loss of critical information
* Set up a notification when maximum storage is approached (e.g., 80%)
*Acceptance Criteria / Evidence:*
* Copy of section of audit policy specifying audit retention requirements
* Copy of section of STIG or SRG that indicates audit retention requirements
* Demonstration of allocated storage (screenshot, service documentation, or configuration code
* Demonstration of notification as max storage approached (screenshot or inspection)
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-4
* http://800-53.govready.com/control?id=AU-4
labels:
- AU
- AU-4
- security
- compliance
- title: As the CIO, I need my team alerted whenever the information system's logging subsystem fails so steps can be taken to avoid further loss of audit data.
body: |
*Why*
We don’t want to lose critical audit records because of errors in the auditing system.
*How*
* Set up monitoring to detect issues with the audit system. Examples:
* Pingdom
* Amazon CloudWatch
* New Relic
* A custom script monitoring updated timestamps
* Decide who should receive alerts.
* Determine an effective test frequency and alert method (text, email, Slack).
* Check the audit system monitors every two months to ensure they are working properly.
*Acceptance Criteria / Evidence*
* List of the people and method to alert when there are issues with the audit system.
*Links*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-5
labels:
- AU
- AU-5
- security
- compliance
- title: As the CISO, I need to review all log files regularly bi-weekly for unusual activities.
body: |
*Why:*
We don’t want to lose critical audit records because of errors in the auditing system.
*How:*
* Determine what the important log files are (webserver error log, webserver access log, database access log, system error log) and where on the server they are located.
* Decide which patterns we should be looking for: errors, suspicious access records, database access from an unexpected IP range.
* Approve the workflow (who to contact and how to contact them) for reporting any abnormalities.
*Acceptance Criteria / Evidence:*
* Copy of document listing log files and their locations.
* List of known vulnerability patterns we looking for.
* Document outlining workflow for reporting unusual activity.
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-6
labels:
- AU
- AU-6
- security
- compliance
- title: As the CISO, I want transactions in logs to clearly use a UTC timestamps so data can be synchronized with less processing.
body: |
*Why*
Reports need to be timestamped with an universally understood format to assist in analysis of events and system/data recovery.
When different logs use different timezones and/or non-standard formats, it is harder to collate and compare events across different logs.
*How*
* Create organization standard for transaction record timestamp granularity of least 1 second
* Create record timestamping mechanism that timestamps transactions with defined granularity in UTC or GMT
* Timestamp with a system’s clock
*Acceptance Criteria / Evidence*
* Excerpt from STIG or SRG in use that defines timestamp granularity standard
* Show example of logged events are being timestamped or configuration that forces timestamps
*Links*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-8
labels:
- AU
- AU-8
- security
- compliance
- title: As the CISO, I want to prevent unauthorized access to logs and audit reports and the systems that create them.
body: |
*Why:*
Audit information can contain system information that would be dangerous in the wrong hands. By the same token, the systems that create reports could be manipulated by an unauthorized party to provide misleading information.
*How:*
* Determine list of privileged users that will have access to log generation, reduction reports and report-creating systems
* Ensure log-related information are read-only and write-only to authorized users
* Ensure report creation systems have permissions and or log-in credentials that bar access to unauthorized users
*Acceptance Criteria / Evidence:*
* Provide list of privileged users with access to log generation, reduction reports and report-creating systems
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-9
labels:
- AU
- AU-9
- security
- compliance
- title: As the developer, I want the components of the system to generate required logs with required content.
body: |
*Why:*
The organization needs certain information for audit purposes
*How:*
* Check AU-2 for a list of auditable events and figure out which components provide the logs for those events
* Work with security and business to confirm events and components
* Check AU-3 for necessary log content and modify log templates and content accordingly
*Acceptance Criteria / Evidence:*
* URL to audit and accountability policy
* List of system components that generate logs and log retention
* Excerpt from STIG or SRG in use that automatically sets or specifies log settings
*Links:*
* https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-12
labels:
- AU
- AU-12
- security
- compliance