NIST 800-53 REV 5 • ACCESS CONTROL
AC-6(9) — Log Use of Privileged Functions
Log the execution of privileged functions.
Supplemental Guidance
The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
Practitioner Notes
Every time someone uses a privileged function — like sudo, Run as Administrator, or accessing a PAM tool — the system must log it. You need a complete trail of who did what with elevated access.
Example 1: Configure Windows Advanced Audit Policy via GPO at Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy → Privilege Use → Audit Sensitive Privilege Use to log Success and Failure. Forward Event IDs 4672, 4673, and 4674 to your SIEM.
Example 2: In Linux, ensure /etc/sudoers includes Defaults logfile=/var/log/sudo.log and Defaults log_input, log_output to capture the full input and output of every sudo command. Forward these logs to your central SIEM using rsyslog or the Splunk Universal Forwarder.