Skip to main content
Splunk Lantern

NIST SP 800-53 audit and accountability

You need to conduct thorough system audits in order to ensure compliance to NIST SP 800-53 rev5.

Required data

To optimize the searches shown below, you should specify an index and a time range.  

Audit events

To review your sourcetypes to verify that the system can audit event types, run the following search.

| metadata index=* type=sourcetypes 
| search (sourcetype="*") 
| eval "First Timestamp" = strftime(firstTime, "%x %X"), "Last Timestamp" = strftime(lastTime, "%x %X"), "Most Recent Update" = strftime(recentTime, "%x %X") 
| table "First Timestamp" "Last Timestamp" "Most Recent Update" sourcetype totalCount 
| sort sourcetype

Audit storage capacity

To decide how to allocate audit record storage capacity to accommodate the required retention period, run the following search.

| tstats count FROM datamodel=Performance WHERE nodename=All_Performance.Storage BY All_Performance.dest All_Performance.Storage.storage_free
| eval critical_level=500 
| eval free_mb = 'All_Performance.Storage.storage_free'/1000000 
| search free_mb != '' 
| rename All_Performance.dest AS Host
| stats avg(free_mb) AS "Average_Free", median(free_mb) AS "Median_Free_MB", max(free_mb) AS "Maximum_Free_MB", avg(critical_level) AS "Critical_Level_MB" BY Host
| eval "Average Free"=round(Average_Free,0)
| eval "Median Free MB"=round(Median_Free_MB,0)
| eval "Maximum Free MB"=round(Maximum_Free_MB,0)
| eval "Critical Level MB"=round(Critical_Level_MB,0)
| table Host "Average Free" "Median Free MB" "Maximum Free MB" "Critical Level MB" 
| search (Host="*")

Responses to audit processing failures

These searches help you alert system administrators in the event of an audit processing failure.

Log clearing events

To view all log clearing events, run the following search.

| tstats count FROM datamodel=Change WHERE nodename=All_Changes.Auditing_Changes All_Changes.action=cleared by host, All_Changes.user,  All_Changes.result, _time span=1s
| rename All_Changes.user As user, All_Changes.result AS action
| table _time, host, user, action

Log write failures

To see all system changes that were stopped run the following search.

| tstats count FROM datamodel=Change WHERE nodename=All_Changes.Auditing_Changes All_Changes.action=stopped BY host, All_Changes.user,  All_Changes.result, _time span=1s
| rename All_Changes.user AS user, All_Changes.result AS action
| table _time, host, user, action

Next steps

Content of audit records

Leveraging Splunk Enterprise or Splunk Cloud Platform to ingest and index time-series data relevant to systems, infrastructure, and users relevant to security controls supports near real-time visibility and auditability of:

  • related events
  • time of occurrence
  • components/source of where the event occurred
  • user accounts associated with the event(s)

Audit review, analysis, and reporting

Leveraging Splunk Enterprise or Splunk Cloud Platform provides native functionality for audit and report generation, in near real-time, for any data that has been indexed and also empowers auditors and analysts with functionality for on-demand spot reviews and deeper dive analyses on topics or investigations of interest.

Audit reduction and report generation

Leveraging Splunk to ingest and index time-series data supports on-demand review, analysis, and reporting in near real-time and retroactively according to an organization's data retention requirements. Splunk Enterprise's optional data integrity control feature provides a mechanism to verify the integrity of indexed data via SHA-256 hashing.

Protection of audit information

Events stored within Splunk Enterprise or Splunk Cloud Platform cannot be modified, and the deletion of events requires the assignment of special capabilities. For more information, see About securing the Splunk platform.

Audit record retention

Splunk Enterprise or Splunk Cloud Platform software provides easily customizable functionality for setting and adjusting data retention durations. This enables organizations to easily adjust retention settings to ensure that after-the-fact investigations and audits are possible and in alignment with applicable regulatory or other relevant data retention requirements.

Audit generation

Leveraging Splunk Enterprise or Splunk Cloud Platform software provides native functionality for audit and report generation, in near real-time, for any data that has been indexed and also empowers auditors and analysts with functionality for on-demand spot reviews and deeper dive analyses on topics or investigations of interest.

After running these access controls and taking appropriate action, you may want to look into other NIST SP 800-53 rev5 controls: