Open maheese opened 4 months ago
Need to document the full list of ECMPS Admin actions that need to be logged.
Admin Function | Info | Message |
---|---|---|
QA/Cert Data Maintenance | Type: Test Summary, Cert Events, TEE; Actions: Require Resubmission, Delete | “QA/Cert [Type] for [Facility Name/ID], [State], [MP Locations], [Unit/StackPipe ID], [System/Component ID] [Action in past tense: “Deleted” / “resubmission required”] by [user] on [datetime]. Additional information: [Test Number], [Test Type Code], [Reporting Period], [Begin Date / Time], [End Date / Time], [Record ID].” |
Error Suppression | Actions: Add, Clone, Deactivate | “Error Suppression for [Facility Name/ID], [State], [Locations] [Action in past tense] by [user] on [datetime]. Additional information: [Result], [Severity], [Status], [Add Date &Hour], [Update Date], [Criteria], [Reason], [Record ID].” |
Emission Submission Access | Actions: Open, Extend, Close, Approve | “Emission submission window for [Facility Name/ID], [State], [MP Location(s)] [Action in past tense] by [user] on [datetime]. Additional information: [Reporting Period], [Reporting Frequency], [Status], [Open Date], [Close Date], [Emission Status], [Last Submission ID], [Record ID].” |
NIST 800-53 Rev 5 (AC-6(9)) requires logging the execution of privileged functions.
Information to Include
Implementation Notes: In ECMPS, we are defining privileged functions as anything that requires the "ECMPS Admin" role. The log should contain the function, the user, the date and time. These logs need to be sent to Splunk. In Cloud.gov, this means the log is written to standard out and the application is configured with a log drain.