NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-2(4)Privileged Functions

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement was incorporated into AC-6(9). The concept is that the use of privileged functions should be logged. See AC-6(9) for implementation details.

Example 1: Configure Advanced Audit Policy to log Privilege Use → Audit Sensitive Privilege Use for Success and Failure. This captures events when users exercise sensitive privileges like Act as part of the operating system, Debug programs, or Take ownership.

Example 2: In Linux, ensure sudo logging is configured. Verify /etc/sudoers includes Defaults log_input, log_output, logfile=/var/log/sudo.log. Forward sudo logs to your SIEM and create an alert for any sudo usage outside of normal maintenance windows.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component