| The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Mobile operating systems must produce audit records for the events defined at the organizational level. Specifically, at a minimum, audit records must be produced for these events:
- Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels) by processes other than the operating system
- Successful and unsuccessful unlock attempts
- Privileged activities or other system level access
- Starting and ending time for user access to the system
- All application initiations
- All application installation and removal
- All account creations, modifications, disabling, and terminations
- All kernel module load, unload, and restart |
