The Joint Air Force, Army, Navy (JAFAN) Manual for Protecting Special Access Program (SAP) Information within Information Systems manual establishes the security policy and procedures for storing, processing, and communicating classified DoD SAP information in information systems. Safeguards shall be applied such that (1) individuals are held accountable for their actions; (2) information is accessed only by authorized individuals* and processes; (3) information is used only for its authorized purpose(s); (4) information retains its content integrity; (5) information is available to satisfy mission requirements; and (6) information is appropriately marked and labeled

Appropriate security measures shall be implemented to ensure the confidentiality, integrity, and availability of that information.

Requirement: (Audit1) 4.B.1.b(2)(a) Provide the capability to ensure that all audit records include enough information to allow the ISSO to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved.

Solution: EventTracker stores all received audit records in the EventVault, a secure, centralized and controlled compressed archive. Each file in the archive is striped with a SHA-1 checksum. Audit records are stored in their original form and preserve all information.

Requirement: (Audit1) 4.B.1.b(2)(b) Protect the contents of audit trails against unauthorized access, modification, or deletion.

Solution: Audit logs within the EventVault are subject to periodic integrity checks (this can also be performed manually on demand); access to archives fro reporting purposes automatically invoke the integrity check to validate results.

Requirement: (Audit1) 4.B.1.b(2)(c) Maintain collected audit data at least 5 years and reviewing at least weekly.

Solution: EventTracker stores all received audit records in the EventVault, a secure, centralized and controlled compressed archive. This mechanism make use of any available storage visible to the host platform. Archives are compressed flat files and may be retained for any length of time. They may also be backed up to any storage media including tape for offline storage. Reports can be scheduled for delivery within the dashboard or to an external mailbox on a daily/weekly schedule including daily.

Requirement: (Audit1) 4.B.1.b(2)(d) The system’s creating and maintaining an audit trail that includes selected records of: Successful and unsuccessful logons and logoffs, Accesses to security-relevant objects and directories, including opens, closes, modifications, and deletions, Activities at the system console (either physical or logical consoles), and other system-level accesses by privileged users.

Solution: EventTracker includes a wide variety of knowledge packs which are used to process inbound logs. These packs are used for alerting and reporting and cover logon/off from Cisco, Windows, VMware, Unix/Linux, Oracle/MS SQL, Juniper, Netscreen, Active Directory etc. Access to security relevant objects on Solaris (BSM), Windows, Linux and various Unix flavors is supported. Privileged user access reports are available as are alerts on direct access to console.

Requirement: (Audit2) 4.B.2.a(5)(a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: EventTracker stores audit logs in their original format, preserving unique identification Flexible reporting sorted by user, action or system within a time-frame is provided.

Requirement: (Audit3) 4.B.2.a(6) At the discretion of the DAA, audit procedures that include the existence and use of audit reduction and analysis tools.

Solution: This requirement explicitly authorizes the use of EventTracker to satisfy DCID 6/3.

Requirement: (Audit4) 4.B.3.a(7) An audit trail, created and maintained by the IS, that is capable of recording changes to the mechanism’s list of user formal access permissions. (Note: Applicable only if the (Access3) access control mechanism is automated.)

Solution: EventTracker records all logged changes to user permissions at both the Active Directory and individual server/workstation level and reports on such changes,

Requirement: (Audit5) 4.B.3.a(8) (a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: EventTracker stores audit logs in their original format, preserving unique ideitification. Flexible reporting sorted by user, action or system within a timeframe is provided.

Requirement: (Audit6) 4.B.4.a(9) (a) Enforcement of the capability to audit changes in security labels.

Solution: Security labels are usually applied to folders or directories, specific db tables or the entire db or Groups in Active Directory. In all of these cases, changes to the contents can be logged and therefore tracked/reported by EventTracker.

Requirement: (Audit6) 4.B.4.a(9) (b) Enforcement of the capability to audit accesses or attempted accesses to objects or data whose labels are inconsistent with user privileges.

Solution: EventTracker includes reports and alerts for “access denied” conditions. A comparison against user provided whitelist to determine consistent access is also available.

Requirement: (Audit6) 4.B.4.a(9) (c ) Enforcement of the capability to audit all program initiations, information downgrades and overrides, and all other security-relevant events (specifically including identified events that may be used in the exploitation of covert channels).

Solution: EventTracker can track the start/stop of all or a white or black list of applications; it also detects software install/removal attempts. Security-relevant events include any event that would cause a deleterious change in the system or its environment; the Change Audit feature is specifically designed for such requirements.

Requirement: (Audit7) 4.B.4.a(9) (a) The capability of the system to monitor occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

Solution: EventTracker includes a correlation engine which is easily configured to support this requirement. A common example is a bruteforce password guess attempt which results in a large number of login failures from the same IP address source.

Requirement: (Audit7) 4.B.4.a(9) (b) The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious events.

Solution: EventTracker includes a prioritization scheme which is governed by risk; elements are configurable and this is used to notify ISSOs of out-of-ordinary or new behavior or known alert conditions.

Requirement: (Audit8) 4.B.5.a(9) (a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: EventTracker stores audit logs in their original format, preserving unique ideitification. Flexible reporting sorted by user, action or system within a timeframe is provided.

Requirement: (Audit9) 4.B.5.a(10) (a) The capability of the system to monitor, in real-time, occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

Solution: EventTracker includes a correlation engine which is easily configured to support this requirement. A common example is a bruteforce password guess attempt which results in a large number of login failures from the same IP address source.

Requirement: (Audit9) 4.B.5.a(10) (b) The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious event.

Solution: EventTracker includes a prioritization scheme which is governed by risk; elements are configurable and this is used to notify ISSOs of out-of-ordinary or new behavior or known alert conditions.

Requirement: [Change1] 5.B.3.a(2) (a) Mechanisms that notify users of the time and date of the last change in data content.

Solution: The EventTracker Change Audit feature is specifically designed for such requirements.

Requirement: [Change1] 5.B.3.a(2) (b) Procedures and technical system features to assure that changes to the data or to security-related items are Executed only by authorized personnel.

Solution: EventTracker tracks all changes to critical data or security items and can alert on unauthorized access.

Requirement: [Change2] 5.B.3.a(3) (a) A secure, unchangeable audit trail that will facilitate the correction of improper data changes.

Solution: EventTracker stores all received audit records in the EventVault, a secure, centralized and controlled compressed archive. Each file in the archive is striped with a SHA-1 checksum. Audit records are stored in their original form and preserve all information.