NIST SP 800-53 audit and accountability
Audit and data management activities include audit generation, retention, and analysis. You need to conduct thorough system audits in order to ensure compliance to NIST SP 800-53 rev5.
Required data
- Data normalized to the following Common Information Models:
To optimize the searches shown below, you should specify an index and a time range.
Audit events
To review your source types to verify that the system can audit event types, run the following search.
| metadata index=* type=sourcetypes | search (sourcetype="*") | eval "First Timestamp" = strftime(firstTime, "%x %X"), "Last Timestamp" = strftime(lastTime, "%x %X"), "Most Recent Update" = strftime(recentTime, "%x %X") | table "First Timestamp" "Last Timestamp" "Most Recent Update" sourcetype totalCount | sort sourcetype
Audit storage capacity
To decide how to allocate audit record storage capacity to accommodate the required retention period, run the following search.
| tstats count FROM datamodel=Performance WHERE nodename=All_Performance.Storage BY All_Performance.dest All_Performance.Storage.storage_free | eval critical_level=500 | eval free_mb = 'All_Performance.Storage.storage_free'/1000000 | search free_mb != '' | rename All_Performance.dest AS Host | stats avg(free_mb) AS "Average_Free", median(free_mb) AS "Median_Free_MB", max(free_mb) AS "Maximum_Free_MB", avg(critical_level) AS "Critical_Level_MB" BY Host | eval "Average Free"=round(Average_Free,0) | eval "Median Free MB"=round(Median_Free_MB,0) | eval "Maximum Free MB"=round(Maximum_Free_MB,0) | eval "Critical Level MB"=round(Critical_Level_MB,0) | table Host "Average Free" "Median Free MB" "Maximum Free MB" "Critical Level MB" | search (Host="*")
Responses to audit processing failures
These searches help you alert system administrators in the event of an audit processing failure.
Log clearing events
To view all log clearing events, run the following search.
| tstats count FROM datamodel=Change WHERE nodename=All_Changes.Auditing_Changes All_Changes.action=cleared by host, All_Changes.user, All_Changes.result, _time span=1s | rename All_Changes.user As user, All_Changes.result AS action | table _time, host, user, action
Log write failures
To see all system changes that were stopped run the following search.
| tstats count FROM datamodel=Change WHERE nodename=All_Changes.Auditing_Changes All_Changes.action=stopped BY host, All_Changes.user, All_Changes.result, _time span=1s | rename All_Changes.user AS user, All_Changes.result AS action | table _time, host, user, action
Next steps
Content of audit records
Leveraging the Splunk platform to ingest and index time-series data relevant to systems, infrastructure, and users relevant to security controls supports near real-time visibility and auditability of:
- related events
- time of occurrence
- components/source of where the event occurred
- user accounts associated with the events
Audit review, analysis, and reporting
Leveraging the Splunk platform provides native functionality for audit and report generation, in near real-time, for any data that has been indexed and also empowers auditors and analysts with functionality for on-demand spot reviews and deeper dive analyses on topics or investigations of interest.
Audit reduction and report generation
Leveraging the Splunk platform to ingest and index time-series data supports on-demand review, analysis, and reporting in near real-time and retroactively according to an organization's data retention requirements. Splunk Enterprise optional data integrity control feature provides a mechanism to verify the integrity of indexed data via SHA-256 hashing.
Protection of audit information
Splunk Enterprise software includes native security features such as role-based access control and access control lists, and enables best-of-breed solutions for authorization, enterprise single sign-on and multi-factor authentication, to manage and secure software-level access. Events stored within the Splunk platform cannot be modified, and the deletion of events requires the assignment of special capabilities. For more information, see About securing the Splunk platform.
Audit record retention
Splunk platform software provides easily customizable functionality for setting and adjusting data retention durations. This enables organizations to easily adjust retention settings to ensure that after-the-fact investigations and audits are possible and in alignment with applicable regulatory or other relevant data retention requirements.
Audit generation
Leveraging Splunk platform software provides native functionality for audit and report generation, in near real-time, for any data that has been indexed and also empowers auditors and analysts with functionality for on-demand spot reviews and deeper dive analyses on topics or investigations of interest.
After running these access controls and taking appropriate action, you may want to look into other NIST SP 800-53 rev5 controls: