NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-9 — Protection of Audit Information
Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information.
Supplemental Guidance
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
Practitioner Notes
Protect your audit logs from unauthorized modification or deletion. If an attacker can delete the logs that show their activity, you lose your ability to detect and investigate the breach.
Example 1: Set NTFS permissions on your Windows Security Event Log files so that only the SYSTEM account and your security team can read them. Regular users and even standard IT admins should not have access to modify or clear security logs. Via GPO, restrict who can clear the Security log under Security Settings → Local Policies → User Rights Assignment → "Manage auditing and security log".
Example 2: Forward all logs to your SIEM in real time. Even if an attacker gains admin access to a system and clears the local logs, the copies in your SIEM are preserved. Configure your SIEM's storage with separate credentials from your general AD domain so that a domain compromise does not also compromise your logs.