NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-12Audit Record Generation

Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }}; Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

Practitioner Notes

Your systems must actually generate audit records for the events you identified in AU-2. This is the implementation — turning on the logging at each system.

Example 1: Apply your audit policy via GPO to all Windows systems. Verify it is working by running auditpol /get /category:* on a sample of systems and confirming the audit categories match your policy. If they do not match, check for conflicting GPOs using gpresult /r.

Example 2: On Linux systems, verify that auditd is running and the rules file (/etc/audit/audit.rules) contains your required rules. Run auditctl -l to list active rules and systemctl status auditd to confirm the service is running. Check that logs are being written to /var/log/audit/audit.log.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component