NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY

3.3.8Protection of Audit Information

Protect audit information and audit logging tools from unauthorized access, modification, and deletion. Authorize access to management of audit logging functionality to only a subset of privileged users or roles.

CMMC Practice Mapping

NIST 800-53 Controls

AU-11

Assessment Objectives

  • access to management of audit logging functionality is authorized to only a subset of privileged users or roles.
  • audit information is protected from unauthorized access, modification, and deletion.
  • audit logging tools are protected from unauthorized access, modification, and deletion.

Practitioner Notes

Your audit logs are evidence — if someone can tamper with them, they can cover their tracks. Logs need to be protected from deletion or modification, and only a very small group should have admin access to the logging system.

Example 1: On your Windows servers, set NTFS permissions on the C:\Windows\System32\winevt\Logs folder so that only the SYSTEM account and your dedicated log admin group have access. Remove the "Everyone" and "Users" groups. Via GPO at Computer Configuration → Windows Settings → Security Settings → Event Log → Security Log, set "Restrict guest access to Security log" to Enabled.

Example 2: In your SIEM, restrict admin access to the logging platform itself. In Splunk, go to Settings → Access Controls → Roles and create a read-only "auditor" role for reviewers and reserve the "admin" role for only 1-2 designated logging administrators. Enable Splunk's audit trail under Settings → System → Audit so any changes to the SIEM configuration are themselves logged and tamper-evident.

Related NIST 800-171 Requirements

3.3.1 Event Logging 3.3.2 Audit Record Content 3.3.3 Audit Record Generation 3.3.4 Response to Audit Logging Process Failures