| 1. The system administrator shall select audit events against security files of individual system components in accordance with DISA STIGs related to operating system, database, and application, such as excessive number of logon attempt; blocking or blacklisting a user ID; and bypassing or negating safeguards controlled by the system. |
2. The system administrator shall configure the system audit features to record system access-level auditing regarding root/administrator logons; access level change; security policy change; creation, deletion, or modification of security label change; and use of covert channel mechanisms.
3. The system administrator shall configure each audit event to record sufficient information in the audit trails such as date/time of the event, user ID, source, target, type of event, and success/failure.
4. If the system does not provide the capability of recording DOD required security events, the system administrator shall identify and install a DOD approved 3rd party product and configure it in accordance with DISA STIGs and vendor documentation for auditing.
5. The system administrator shall test the auditing capability to ensure that the audit trails record required security events; each event contains sufficient information to support system forensics; and the auditing functions do not affect system operations.