>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AU-5Response to Audit Logging Process Failures

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Alert organization-defined personnel or roles within organization-defined time period in the event of an audit logging process failure; and

b

Take the following additional actions: organization-defined additional actions.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AU-5 (b) [overwrite oldest record]

>Discussion

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors.

When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

>Programmatic Queries

Beta

Related Services

CloudWatch Alarms
SNS
CloudTrail

CLI Commands

Check CloudTrail logging status
aws cloudtrail get-trail-status --name TRAIL_NAME --query '{IsLogging:IsLogging,LatestDeliveryError:LatestDeliveryError}'
List alarms for logging failures
aws cloudwatch describe-alarms --alarm-name-prefix 'CloudTrail'
Check log delivery errors
aws cloudtrail get-trail-status --name TRAIL_NAME --query 'LatestDeliveryError'
List SNS subscriptions for alerts
aws sns list-subscriptions-by-topic --topic-arn ARN
Open AWS ConsoleDocumentation

>Related Controls

AU-2
AU-4
AU-7
AU-9
AU-11
AU-12
AU-14
SI-4
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AU-5 (Response To Audit Logging Process Failures)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AU-5?
  • How frequently is the AU-5 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AU-5?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AU-5 requirements.
  • What automated tools, systems, or technologies are deployed to implement AU-5?
  • How is AU-5 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AU-5 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AU-5?
  • What audit logs, records, reports, or monitoring data validate AU-5 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AU-5 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AU-5 compliance?

Ask AI

Configure your API key to use AI features.