Requirements for Audit Log for Data Changes

[MaeganWood64]

• As of 10/19/23 the requirements for audit log data changes have not been analyzed and confirmed by the EPA. CVP started the requirements anaylsis process. You can find the started requirments at the following link.

• https://usepa.sharepoint.com/:w:/r/sites/CAMDCVPTeam/Shared%20Documents/Tech/Audit%20Log/EASEY%20Requirements%20for%20Audit%20Event%20Logging.docx?d=w72fca1cd69c241dc84b9339e1ec87b69&csf=1&web=1&e=TFWoqh

Next steps:

• complete requirements analysis
• Decompese tickets into the backlog

Needs to be implemented before performance testing.

[MaeganWood64]

• Out of Scope for March Beta

[JanellC]

Need requirements for what needed to be audited. Mike H will send over requirements . Requirements will be sent week of 5/29

[JanellC]

Aiming to work on this after the ECMPS BETA functionality is completed

[JanellC]

@JanellC add requirements to this ticket for whoever picks this ticket up

[mark-hayward-erg]

@maheese Is this covered by #6246, or does additional logging need to be defined in this ticket (or other new tickets)?

[maheese]

@maheese Is this covered by #6246, or does additional logging need to be defined in this ticket (or other new tickets)?

6246 was intended to cover AC-6(9) which just deals with privileged functions. In our case we are defining these as any action that requires ECMPS Admin. Privileged audit records are called out separately in the controls.

This ticket was created to cover general audit requirements. Since this ticket was initially created we have received additional guidance on what event types need to have audit records. Here's what was provided:

• User Authentication (Success/Failure)
• User Access of Application Components
  • File and Object Access
  • Audit Log Access (Success/Failure)
  • System Access (Failure)
  • Application Transactions
• Transaction Logs
• System Performance and Operational Characteristics
  • Resource Utilization
  • Errors (Input Validation, Disallowed Operations) and Exit Codes
  • Process Status
  • Service Status Changes (e.g., Started, Stopped)
• Application Configuration and Version, Middleware Configuration and Version
• Usage Information, if Applicable
• User Request and Response Events, if Applicable

For each event we are supposed to be capturing:

• What type of event occurred
• When the event occurred
• Where the event occurred (component, system, etc.)
• Source of the event
• Outcome of the event
• Identity of any individuals, subjects, or objects/entities associated with the event.

We should have a discussion and come to a consensus on what these mean for our system and then create additional tickets to implement.