Audit1

Protection Level 2

DCID 6/3 Requirements -

4.B.2.a A system operating at Protection Level 2 shall employ the following features:

4.B.2.a(4) [Audit1] Auditing procedures, including:

4.B.2.a(4)(a) Providing the capability to ensure that all audit records include enough information to allow the ISSO to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved.

4.B.2.a(4)(b) Protecting the contents of audit trails against unauthorized access, modification, or deletion.

4.B.2.a(4)(c) Maintaining collected audit data at least 5 years and reviewing at least weekly.

4.B.2.a(4)(d) The systems creating and maintaining an audit trail that includes selected records of:

4.B.2.a(4)(d)(1) Successful and unsuccessful logons and logoffs.

4.B.2.a(4)(d)(2) Accesses to security-relevant objects and directories, including opens, closes, modifications, and deletions.

4.B.2.a(4)(d)(3) Activities at the system console (either physical or logical consoles), and other system-level accesses by privileged users.

JDCSISSS 7.5.3.1 (U) (1 January 2006 Revision 4) Automated Audit Trail Information Requirements

ISs approved for classified processing should contain, at a minimum, the following audit trail records:

No.	Auditable Events	Protection Level	Success	Failure	Red Hat Linux syscall Audit Flag(s)
1	Logons	1-5	X	X	Audit Default
2	Logoffs	1-5		X	Audit Default
3	Security relevant directories, objects, and incidents (DAC)	1-5	X	X	open, creat
4	System Console activities	1-5		X	chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, creat, open, truncate, truncate64, ftruncate, ftruncate64, ulink, rename, link, symlink, mknod, mount, umount, umount2, clone, fork, vfork, umask, adjtimex, settimeofday
5	Use of Privileged/Special Rights	1-5		X	chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, creat, open, truncate, truncate64, ftruncate, ftruncate64, ulink, rename, link, symlink, mknod, mount, umount, umount2
6	Root Level Access	1-5	X	X	chown, chown32, fchown, fchown32, lchown, lchown32, adjtimex, settimeofday
7	Uploads from local devices	1-5	X	X	mount, umount, umount2
8	Writes/Downloads to local devices(A drives, Jazz drives, Printers)	1-5	X		mount, umount, umount2
9	System Restarts/Shutdowns	1-5	X	X	reboot
10	Change of users formal access permissions	3-5	X	X	N/A
11	Information downgrades and overrides	4-5	X	X	N/A
12	Attempted access to objects or data whose labels are inconsistent with user privileges	4-5		X	N/A
13	Changes to security labels	4-5	X	X	chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, umask