Home/Resources/Agents/Audit Log Compliance Checker
Identity & Audit

Audit Log Compliance Checker

Confirms the audit daemon is running, the right events are captured, and the timestamps will hold up.

Covered practices · NIST SP 800-171 Rev 2
3.3.1Create and retain audit logsPrimary3.3.2Individual user accountabilityPrimary3.3.5Audit review correlation3.3.7Clock synchronization with authoritative sources3.3.8Protect audit information
6
Required 3.3.1 audit categories verified per host

The problem

Logging compliance gaps are silent. The daemon stops, the log fills up and overwrites, the rules get cleared on a kernel upgrade, and the contractor only notices when an assessor asks for evidence of activity from six months ago. By then the logs are gone, 3.3.1 is a 5-point finding, and the entire audit family becomes harder to defend on every other control.

The required event categories under 3.3.1 are not optional. Authentication, privilege escalation, account management, time changes, network configuration changes, kernel module loading, each must be captured and each is its own audit rule. Most contractor systems have some of them. Few have all of them. None know which ones until they run a coverage check.

Time synchronization is the underrated half of the family. An audit log is only evidence if the timestamps are right. A clock drift over a single second invalidates correlation across hosts, and 3.3.7 specifically requires synchronization with authoritative sources. NTP being installed is not the same as NTP being synced, and the agent measures the actual offset rather than trusting configuration.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.3.1Create and retain audit logs

Verifies the audit daemon is running, captures the required event categories, and retains logs for the operational and investigation window CMMC requires.

Read in NIST 800-171 r2
NIST 3.3.2Individual user accountability

Confirms the captured events include the user identity necessary to trace actions back to individuals,privilege escalation, account changes, and authentication events.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.3.5Audit review correlation

Detects whether logs are forwarded to a central collector,correlation across hosts requires it.

Read in NIST 800-171 r2
NIST 3.3.7Clock synchronization with authoritative sources

Verifies NTP is running and reports actual measured offset, not just whether it is configured.

Read in NIST 800-171 r2
NIST 3.3.8Protect audit information

Audits log-file permissions, immutable mode (-e 2), and log directory placement for protection against unauthorized access or modification.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Checks systemctl is-active auditd and is-enabled. Parses /etc/audit/auditd.conf for log_format, max_log_file, num_logs, and overflow_action. Scans /etc/audit/audit.rules and /etc/audit/rules.d/ for required rule categories: file watches on /etc/passwd, /etc/shadow, /etc/sudoers, sudo and su execution, useradd/usermod/userdel, time syscalls, and kernel module operations. Verifies rsyslog or audisp-remote forwarding configuration, and runs chronyc tracking or ntpq -p to report actual measured NTP offset.

Windows

Runs auditpol /get /category:* and verifies each required Security category is set to Success and Failure where 800-171 demands it. Parses Get-WinEvent -ListLog Security for max size and overflow action, flagging any Security log smaller than 196608 KB (192 MB STIG minimum). Runs w32tm /query /status to verify NTP source and last sync, and checks Windows Event Forwarding subscription configuration so central correlation gaps surface immediately.

macOS

Checks launchctl list com.apple.auditd to confirm the daemon is loaded and running. Parses /etc/security/audit_control for audit classes, flags, expiration, and minimum free space, then reports each category against the 3.3.1 coverage baseline so missing classes appear inline.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    auditd not running
    No audit logs are being generated. Direct 3.3.1 violation,every activity on the host is unattributable.
  • CRITICAL
    auditd overflow_action set to IGNORE
    When the audit queue fills, events are silently dropped. Logs become unreliable evidence under load.
  • HIGH
    Missing privilege escalation audit rules
    Audit rules do not include execve with euid=0 watch or sudo/su execution rules. Privilege escalation events are not captured.
  • HIGH
    Audit log retention below 90 days
    max_log_file × num_logs is below the 90-day window required for incident investigation under DFARS 7012(c).
  • HIGH
    Audit log directory world-readable
    /var/log/audit/ permissions allow non-admin users to read audit logs. 3.3.8 protection-of-audit-information violation.
  • HIGH
    Clock offset greater than 1 second
    Live NTP query shows clock drift exceeding the threshold for forensic correlation. Audit log timestamps cannot be relied on.
  • MEDIUM
    No remote log forwarding configured
    Logs are local-only. A compromised host can wipe its own audit trail before detection,central correlation is not possible.
SPRS impact

3.3.1 is a 3-point control, 3.3.2 is 3 points, 3.3.5 is 3 points, 3.3.7 is 1 point, and 3.3.8 is 3 points, but logging-family findings cluster aggressively. A system with auditd off and no NTP loses points on at least four of these simultaneously, and the assessor will note that audit gaps make every other control harder to verify. Total exposure in this family routinely runs 8 to 13 points on first scan, and the contractor often cannot remediate retroactively because the missing logs no longer exist.

How it hooks into the platform

Tolerance auto-discovers each host's audit subsystem and runs daemon, rule, retention, and NTP-offset checks on a cadence the platform sets. Findings can stay on-prem or sync up; you pick at install. The log_coverage object drafts the SSP's audit and accountability section as a coverage table mapping every required 3.3.1 category to captured-or-not. Retention is reported from actual log ages, not configured maxima, so the SSP cites a defensible number. POA&M items name the audit rule needed; a cleared rule between scans is treated as an incident indicator.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Audits both /etc/audit/audit.rules and the rules.d/ tree per host
  • Inspects Windows audit policy without depending on PowerShell
  • Reports retention from actual log ages, never estimated maxima
  • Returns measured NTP offset in milliseconds, not configured intent
  • Runs unprivileged on Linux for the majority of audit checks
  • Always emits the structured 3.3.1 coverage table per host
  • Detects both rsyslog and audisp-remote forwarding configurations
Other agents in Identity & Audit
Identity & Audit

Account & Privilege Auditor

Surfaces the orphaned accounts, NOPASSWD sudo rules, and shared credentials assessors flag first.

Identity & Audit

Identity & Authentication Auditor

Reports the 3.5.3 SPRS tier (-5, -3, or 0) per host, plus every credential weakness Mimikatz lives on.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →