UCF STIG Viewer Logo

ECRR-1 Audit Record Retention


If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year.

MAC / CONF Impact Subject Area
Medium Enclave Computing Environment


Audit trail data, though voluminous, must be retained for a sufficient time to permit retrospective examination for specific incidents and for trend analysis.  Operating system parameters must be set so that growing logs are not inadvertently overwritten.  Procedures must be in place for migrating audit trail data to archival storage and to prevent inadvertent or unauthorized deletion of log data.  An intruder might attempt to delete audit trails in an attempt to conceal unauthorized activity.

1. Activate audit logging for security-significant components and systems.
2. Limit access to audit data to authorized system administrators.
3. Set system controls to ensure that audit logs that have reached maximum length are not overwritten. If possible, the system should issue a warning that log data length is approaching the maximum value and then should fail gracefully.
4. Ensure that procedures exist for moving audit trails from on-line to archival media.
5. Inspection and modification of audit data are, themselves, security significant events that should generate log entries.


  • CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003
  • NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
  • CNSS 4013, National Training Standard for System Administrators in Information Security, March 2004