ECRR-1

ECRR-1 Audit Record Retention

Overview

If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year.

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE PUBLIC	Medium	Enclave Computing Environment

Details

Threat
Audit trail data, though voluminous, must be retained for a sufficient time to permit retrospective examination for specific incidents and for trend analysis. Operating system parameters must be set so that growing logs are not inadvertently overwritten. Procedures must be in place for migrating audit trail data to archival storage and to prevent inadvertent or unauthorized deletion of log data. An intruder might attempt to delete audit trails in an attempt to conceal unauthorized activity.

Threat

Audit trail data, though voluminous, must be retained for a sufficient time to permit retrospective examination for specific incidents and for trend analysis. Operating system parameters must be set so that growing logs are not inadvertently overwritten. Procedures must be in place for migrating audit trail data to archival storage and to prevent inadvertent or unauthorized deletion of log data. An intruder might attempt to delete audit trails in an attempt to conceal unauthorized activity.

Guidance
1. Activate audit logging for security-significant components and systems. 2. Limit access to audit data to authorized system administrators. 3. Set system controls to ensure that audit logs that have reached maximum length are not overwritten. If possible, the system should issue a warning that log data length is approaching the maximum value and then should fail gracefully. 4. Ensure that procedures exist for moving audit trails from on-line to archival media. 5. Inspection and modification of audit data are, themselves, security significant events that should generate log entries.

Guidance

1. Activate audit logging for security-significant components and systems.
2. Limit access to audit data to authorized system administrators.
3. Set system controls to ensure that audit logs that have reached maximum length are not overwritten. If possible, the system should issue a warning that log data length is approaching the maximum value and then should fail gracefully.
4. Ensure that procedures exist for moving audit trails from on-line to archival media.
5. Inspection and modification of audit data are, themselves, security significant events that should generate log entries.

References

CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
CNSS 4013, National Training Standard for System Administrators in Information Security, March 2004