If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year.
|MAC / CONF||Impact||Subject Area|
|Medium||Enclave Computing Environment|
|Audit trail data, though voluminous, must be retained for a sufficient time to permit retrospective examination for specific incidents and for trend analysis. Operating system parameters must be set so that growing logs are not inadvertently overwritten. Procedures must be in place for migrating audit trail data to archival storage and to prevent inadvertent or unauthorized deletion of log data. An intruder might attempt to delete audit trails in an attempt to conceal unauthorized activity.|
| 1. Activate audit logging for security-significant components and systems. |
2. Limit access to audit data to authorized system administrators.
3. Set system controls to ensure that audit logs that have reached maximum length are not overwritten. If possible, the system should issue a warning that log data length is approaching the maximum value and then should fail gracefully.
4. Ensure that procedures exist for moving audit trails from on-line to archival media.
5. Inspection and modification of audit data are, themselves, security significant events that should generate log entries.