NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-14(1)System Start-up

Initiate session audits automatically at system start-up.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors.

Practitioner Notes

Begin session auditing at system startup so that even boot-time activities are captured. Attackers sometimes target the boot process to avoid detection.

Example 1: Configure Windows audit policy to start logging at boot. The Windows Security Event Log service starts with the OS, so events are captured from the moment the system comes up. Verify by checking for Event ID 4608 (Windows is starting up) in the Security log after each reboot.

Example 2: In Linux, configure auditd to start at boot with systemctl enable auditd and add audit=1 to the kernel boot parameters in /etc/default/grub. This ensures audit events are captured from the earliest point in the boot process, before normal services start.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component