Red Hat Virtualization Host - Audit and Accountability

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
AU-1 Audit And Accountability Policy And Procedures

not applicable

AU-2 Audit Events

not applicable

AU-2 (1) Compilation Of Audit Records From Multiple Sources
AU-2 (2) Selection Of Audit Events By Component
AU-2 (3) Reviews And Updates
AU-2 (4) Privileged Functions
AU-3 Content Of Audit Records

complete

AU-3 (1) Additional Audit Information
AU-3 (2) Centralized Management Of Planned Audit Record Content
AU-4 Audit Storage Capacity

not applicable

AU-4 (1) Transfer To Alternate Storage
AU-5 Response To Audit Processing Failures

complete

AU-5 (1) Audit Storage Capacity
AU-5 (2) Real-Time Alerts
AU-5 (3) Configurable Traffic Volume Thresholds
AU-5 (4) Shutdown On Failure
AU-6 Audit Review, Analysis, And Reporting

not applicable

AU-6 (1) Process Integration
AU-6 (2) Automated Security Alerts
AU-6 (3) Correlate Audit Repositories
AU-6 (4) Central Review And Analysis
AU-6 (5) Integration / Scanning And Monitoring Capabilities
AU-6 (6) Correlation With Physical Monitoring
AU-6 (7) Permitted Actions
AU-6 (8) Full Text Analysis Of Privileged Commands
AU-6 (9) Correlation With Information From Nontechnical Sources
AU-6 (10) Audit Level Adjustment
AU-7 Audit Reduction And Report Generation
AU-7 (1) Automatic Processing
AU-7 (2) Automatic Sort And Search
AU-8 Time Stamps

complete

AU-8 (1) Synchronization With Authoritative Time Source
AU-8 (2) Secondary Authoritative Time Source
AU-9 Protection Of Audit Information

complete

AU-9 (1) Hardware Write-Once Media
AU-9 (2) Audit Backup On Separate Physical Systems / Components
AU-9 (3) Cryptographic Protection
AU-9 (4) Access By Subset Of Privileged Users
AU-9 (5) Dual Authorization
AU-9 (6) Read Only Access
AU-10 Non-Repudiation
AU-10 (1) Association Of Identities
AU-10 (2) Validate Binding Of Information Producer Identity
AU-10 (3) Chain Of Custody
AU-10 (4) Validate Binding Of Information Reviewer Identity
AU-10 (5) Digital Signatures
AU-11 Audit Record Retention

not applicable

AU-11 (1) Long-Term Retrieval Capability
AU-12 Audit Generation

planned

AU-12 (1) System-Wide / Time-Correlated Audit Trail
AU-12 (2) Standardized Formats
AU-12 (3) Changes By Authorized Individuals
AU-13 Monitoring For Information Disclosure
AU-13 (1) Use Of Automated Tools
AU-13 (2) Review Of Monitored Sites
AU-14 Session Audit
AU-14 (1) System Start-Up
AU-14 (2) Capture/Record And Log Content
AU-14 (3) Remote Viewing / Listening
AU-15 Alternate Audit Capability
AU-16 Cross-Organizational Auditing
AU-16 (1) Identity Preservation
AU-16 (2) Sharing Of Audit Information



AU-1: Audit And Accountability Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].

AU-1 Control Response Information
Implementation Status:

not applicable

AU-1: What is the solution and how is it implemented?
AU-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AU-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




AU-2: Audit Events

The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

AU-2 Control Response Information
Implementation Status:

not applicable

AU-2: What is the solution and how is it implemented?
AU-2(a):

‘The selection of organization-defined auditable events is not applicable to the configuration of Red Hat Virtualization Host (RHVH).

However, as supplementary information, RHVH was designed to audit events identified in Intelligence Community Standard Number 500-27 (ICS 500-27). The following set of auditable events represent a minimal set of events suggested to be audited:

- Authentication Events
  * Logons (Success/Failure)
  * Logoffs (Success/Failure)
- File & Object Events
  * Create (Success/Failure)
  * Access (Success/Failure)
  * Delete (Success/Failure)
  * Modify (Success/Failure)
  * Permission Modifications (Success/Failure)
  * Ownership Modifications (Success/Failure)
- User & Group Management Events
  * User add, delete, modify, suspend, lock (Success/Failure)
  * Group/Role add, delete, modify (Success/Failure)
- Use of Privileged/Special Rights Events
  * Security or audit policy changes (Success/Failure)
  * Configuration Changes (Success/Failure)
- Admin or root-level access (Success/Failure)
- Privilege/Role escalation (Success/Failure)
- Audit and log data access (Success/Failure)
- System Reboot, Restart & Shutdown (Success/Failure)

AU-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AU-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AU-2(d):

‘The frequency (or situation requiring) the audit of events identified in AU-2(a) is not applicable to the configuration of Red Hat Virtualization Host (RHVH).

As supplementary information, RHVH is capable of auditing the success and failure, in realtime, of events identified in AU-2(a).’




AU-2 (1): Compilation Of Audit Records From Multiple Sources

“[Withdrawn: Incorporated into AU-12].”

AU-2 (1) Control Response Information
Implementation Status:
AU-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-2 (2): Selection Of Audit Events By Component

“[Withdrawn: Incorporated into AU-12].”

AU-2 (2) Control Response Information
Implementation Status:
AU-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-2 (3): Reviews And Updates

“The organization reviews and updates the audited events [Assignment: organization-defined frequency].”

AU-2 (3) Control Response Information
Implementation Status:
AU-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-2 (4): Privileged Functions

“[Withdrawn: Incorporated into AC-6 (9)].”

AU-2 (4) Control Response Information
Implementation Status:
AU-2 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-3: Content Of Audit Records

“The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.”

AU-3 Control Response Information
Implementation Status:

complete

AU-3: What is the solution and how is it implemented?

Red Hat Virtualization Host (RHVH) audit records contain the required information and cannot be configured to be out of compliance with this control.




AU-3 (1): Additional Audit Information

“The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].”

AU-3 (1) Control Response Information
Implementation Status:
AU-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-3 (2): Centralized Management Of Planned Audit Record Content

“The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].”

AU-3 (2) Control Response Information
Implementation Status:
AU-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-4: Audit Storage Capacity

“The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].”

AU-4 Control Response Information
Implementation Status:

not applicable

AU-4: What is the solution and how is it implemented?

This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).




AU-4 (1): Transfer To Alternate Storage

“The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.”

AU-4 (1) Control Response Information
Implementation Status:
AU-4 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-5: Response To Audit Processing Failures

The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

AU-5 Control Response Information
Implementation Status:

complete

AU-5: What is the solution and how is it implemented?
AU-5(a):

‘The audit subsystem was designed to uniquely identify multiple causes of audit processing failures. Configuring the audit subsystem to alert, or take alternative actions such as shutdown, is detailed in AC-5(b). ‘

AU-5(b):

‘To shutdown a Red Hat Virtualization Host (RHVH) node upon an audit processing failure, which includes software/hardware errors, failures in audit capturing mechanisms, or audit storage capacity being reached or exceeded, the following configuration check must be enabled:

  • CCE-80381-7: Shutdown System When Auditing Failures Occur

To configure the system to take action upon detecting a disk error, such as errors writing to disk or rotating audit logs, the following configuration check must be enabled:

  • CCE-80501-0: Configure auditd Disk Error Action on Disk Error’



AU-5 (1): Audit Storage Capacity

“The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.”

AU-5 (1) Control Response Information
Implementation Status:
AU-5 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-5 (2): Real-Time Alerts

“The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].”

AU-5 (2) Control Response Information
Implementation Status:
AU-5 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-5 (3): Configurable Traffic Volume Thresholds

“The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.”

AU-5 (3) Control Response Information
Implementation Status:
AU-5 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-5 (4): Shutdown On Failure

“The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.”

AU-5 (4) Control Response Information
Implementation Status:
AU-5 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-6: Audit Review, Analysis, And Reporting

The organization: a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and b. Reports findings to [Assignment: organization-defined personnel or roles].

AU-6 Control Response Information
Implementation Status:

not applicable

AU-6: What is the solution and how is it implemented?
AU-6(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AU-6(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




AU-6 (1): Process Integration

“The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.”

AU-6 (1) Control Response Information
Implementation Status:
AU-6 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-6 (2): Automated Security Alerts

“[Withdrawn: Incorporated into SI-4].”

AU-6 (2) Control Response Information
Implementation Status:
AU-6 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AU-6 (3): Correlate Audit Repositories

“The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.”

AU-6 (3) Control Response Information
Implementation Status: