UCF STIG Viewer Logo

AU-5 RESPONSE TO AUDIT PROCESSING FAILURES


Overview

Number Title Impact Priority Subject Area
AU-5 Response To Audit Processing Failures LOW P1 Audit And Accountability

Instructions
The information system:
AU-5a.
Alerts Assignment: organization-defined personnel or roles in the event of an audit processing failure; and
AU-5b.
Takes the following additional actions: Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
Guidance
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Enhancements
AU-5 (1) Audit Storage Capacity HIGH
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

The information system provides a warning to Assignment: organization-defined personnel, roles, and/or locations within Assignment: organization-defined time period when allocated audit record storage volume reaches Assignment: organization-defined percentage of repository maximum audit record storage capacity.

AU-5 (2) Real-Time Alerts HIGH
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

The information system provides an alert in Assignment: organization-defined real-time period to Assignment: organization-defined personnel, roles, and/or locations when the following audit failure events occur: Assignment: organization-defined audit failure events requiring real-time alerts.

AU-5 (3) Configurable Traffic Volume Thresholds
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity.

The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and Selection: rejects; delays network traffic above those thresholds.

AU-5 (4) Shutdown On Failure
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

The information system invokes a Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available in the event of Assignment: organization-defined audit failures, unless an alternate audit capability exists.