NIST Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.
"All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts."
3.3.1 - Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.
cmdReporter generates and stores this information by default.
3.3.2 - Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
All cmdReporter events include the following attribution details.
- Originating user account
- Effective user account for event
- Originating IP address of ssh connection
- Machine UUID
- Machine MAC address
- Machine serial number
3.3.3 - Review and update audited events.
cmdReporter stores audit events in JSON to facilitate collection by security and log aggregation tools.
cmdReporter has Direct log collection support for:
- More in development
3.3.4 - Alert in the event of an audit process failure.
cmdReporter will log any errors to the audit system or cmdReporter itself.
3.3.5 - Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.3.6 - Provide audit reduction and report generation to support on-demand analysis and reporting.
3.3.7 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
3.3.8 - Protect audit information and audit tools from unauthorized access, modification, and deletion.
3.3.9 - Limit management of audit functionality to a subset of privileged users.
3.6.1 - Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 - Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
3.13.1 - Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
3.14.6 - Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
3.14.7 - Identify unauthorized use of the information system.