| 1. Determine if an audit reduction capability exists. This capability can be either OS provided or an add-on product. |
2. Operating systems and applications shall have the capability to review audit records and generate reports from the audit records. Most operating systems and applications have built-in auditing capabilities, but if they don’t, a DOD approved auditing utility shall be acquired. Selection of the individual approved software should be determined by auditing capabilities, ease of use, administrative overhead, and system overhead, as well as enterprise or organizational policy on auditing requirements.
3. Operating systems typically provide at least the minimum tools and utilities to review audit records and generate reports. Microsoft Windows event viewer tracks all security events and can selectively review audit records, and the Solaris operating system uses the ‘praudit’ utility for audit reviews.