Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
It is imperative the operating system configured, allocate storage capacity to contain audit records. Without adequate storage for audit records, there is the potential that critical audit records will be lost or overwritten. An adversary may be able to take advantage of lack of audit storage capacity to avoid detection. Allocating sufficient audit record storage capacity for 24 hours allows the device to capture critical events even if it is unable to reach the MDM for a full day, such as when an employee may be temporarily in a remote location. The mobile operating system must be capable of allocating sufficient record storage capacity for mission needs. Make sure that the reserved audit capacity is greater than the log size for the day with the greatest log activity. It is advised that the allocated storage capacity be at least 150% of that needed for the most active day observed. Also use other available information resources (e.g., vendor documentation) to determine appropriate required capability based on industry norms. |