search

GSA-TTS / FAC

GSA's Federal Audit Clearinghouse
Other
18 stars 5 forks source link

ATO artifact request: AU controls #3905

Closed danswick closed 3 weeks ago

danswick commented 1 month ago

Most of these requirements will be satisfied during walkthrought with GSA IT.

### AU-2: Event Logging
- [ ] **What events types is the system capable of logging in support of audit function**:
- [x] Successful and unsuccessful account logon events
- [ ] Account management events: _may need additional logging for admin events like editing a staff user's permissions in Django_.
- [x] Object access. _Inherited from cloud.gov_.
- [ ] Policy change. _Tracked in version control_.
- [ ] Privilege functions: _similar to account mgmt events, may need additional logging in NR, added to Django admin panel. https://gsa-tts.slack.com/archives/C071CETUBM1/p1717437955802809
- [x] Process tracking
- [x] System events. _Captured by cloud.gov_.
- [ ] **For web application**:
- [ ] Administrator activities. _Logged internally in Django, but not shipped to NR yet_. https://github.com/GSA-TTS/FAC/issues/3908
- [x] Authentication checks. _Demonstrated in NR_.
- [x] Authorization checks _Demonstrated in NR ("`x` new audits added`)
- [x] ~~Data deletions~~. _We don't currently delete any data_.
- [x] access changes. _Demonstrated in Django admin panel_.
- [x] permission changes. _Demonstrated in Django admin panel/NR_.
- [x] What SIEM tool is used by the system for audit log analysis and reporting? _New Relic with some cloud.gov filled in. Log shipping to GSA is waiting on GSA approval_.
- [ ] Demonstrate how operations team generates and distributes audit reports for the following event types:
- [ ] Account management (new account creation, enabling, modification, disabling, deletion or removal
- [ ] Successful and unsuccessful logon attempt
- [ ] Privileged activities or other system level access
- [ ] User role modification
- [ ] API calls to AWS account
- [x] From AWS logs: Account updates within CloudTrail, Service usage events within CloudWatch/CloudTrail. _Inherited from cloud.gov_.
- [ ] Provide rationale for why the event types selected for logging are deemed to be adequate to support after the fact investigation of incidents
- [ ] Do you review and update the event types selected for logging annually or when there’s change in the system? Provide evidence
### AU-3: Content of Audit Records
- [x] Demonstrate the use of cloud.gov, django, ~~dockerhub~~ (**need to remove from SSPP**), github, new relic and AWS CloudTrail to capture types of event logged, timestamps, source of events, outcome, and identity of individuals or objects associated with the event
- [x] Which role or group of users have access to the audit logs
- [x] Does audit records contain events performed by privileged and non-privileged users
### AU-3(1): Content of Audit Records | Additional Audit Information
- [x] Demonstrate that audit records contain additional information such as session, connection, transaction, or activity duration.
### AU-3 (3): Content of Audit Records | Limit Personally Identifiable Information Elements
- [x] ~~No PII included in audit records~~
### AU-4: Audit Storage Capacity
- [x] Do you provision adequate storage space/capacity for audit logs in accordance with GSA IT Security Guidelines. _Inherited from cloud.gov_.
- [x] Demonstrate how new relic is used to provision adequate storage space for the logs kept in new relic per SLA. _Inherited from GSA_.
- [x] Where are the logs for the system kept _Inherited from cloud.gov and GSA_.
- [ ] Document inherited control by sharing cloud.gov compliance documentation: https://cloud.gov/docs/compliance/logging-requirements/
### AU-5: Response to Audit Processing Failures
- [ ] Does the system alert administrators in the event of an audit logging process failure? Provide evidence:  https://github.com/GSA-TTS/FAC/issues/3915
- [ ] What action is taken?
### AU-6: Audit Record Review, Analysis, and Reporting
- [ ] Demonstrate how FAC team reviews and analyzes the system audit records on a regular basis for unusual activities and its impact
- [ ] Provide evidence of report or email notification sent to ISSM, ISSO, and SO for inappropriate or unusual activity during regular audit review
- [ ] Demonstrate how the team regularly adjust the level of audit record logging as new risk and intelligence information is released
### AU-6(1): Audit Record Review, Analysis, and Reporting | Automated Process Integration
- [ ] What tool is used to integrate audit record review, analysis, and reporting? Demonstrate the automated process integration - **link to New Relic agent initialization in FAC app**
### AU-6(3): Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
- [ ] Demonstrate how you analyze and correlate audit records across different repositories to gain organization-wide situational awareness 
### AU-6(4): Audit Record Review, Analysis, and Reporting | Central Review and Analysis
- [ ] Demonstrate the ability to centrally review and analyze audit records from multiple components within the system - **screenshot of various entities reporting to New Relic**
### AU-7: Audit Record Reduction and Report Generation
- [ ] Walk us through how kibana dashboard is used to provide audit record reduction and report generation on-demand
- [ ] How do you restrict access to logs in kibana?
- [ ] Does the kibana dashboard alter the content of logs and the timestamps?
### AU-7(1): Audit Record Reduction and Report Generation | Automatic Processing
- [ ] Demonstrate how Cloud.gov audit logger is used to process, sort, and search the audit records for events of interest based on the source IP, destination IP, account names, and timestamps
## AU-8: Time Stamps
- [x] Display internal system clock for timestamps on audit records from Cloud.gov, new relic, and AWS
### AU-9: Protection of Audit Information
- [ ] Demonstrate how you protect against unauthorized access, modification, and deletion of audit records and logs. Access to the audit records or logs are granted to only approved users and tools
- [ ] Provide evidence of an alert sent to the Governance Board when unauthorized access, modification, or deletion of logs and audit record is detected 
### AU-9(4): Protection of Audit Information | Access by Subset of Privileged Users
- [ ] Which privilege user role or group is responsible for the management of audit logging functionality? Demonstrate it
### AU-11: Audit Record Retention
- [ ] What is the audit record retention period for the system (online and cold storage)? Demonstrate it - https://gsa-tts.slack.com/archives/C071CETUBM1/p1717436226513869
danswick commented 3 weeks ago

According to the tracking doc managed by the assessment team, there are no outstanding AC artifact requests.