NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(7)Store on Component with Different Operating System

Store audit information on a component running a different operating system than the system or component being audited.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records.

Practitioner Notes

Store audit records on a component running a different operating system than the systems being audited. If an exploit targets Windows, your logs on a Linux SIEM server are not affected by the same exploit.

Example 1: If your production environment is Windows-based, run your SIEM on Linux (Splunk on RHEL, Elastic on Ubuntu). An attacker who exploits a Windows vulnerability cannot use the same technique to compromise your Linux-based log store.

Example 2: Forward Windows event logs to a cloud-based SIEM (Microsoft Sentinel runs on Azure's underlying Linux infrastructure). The cloud platform's operating system and security controls are entirely different from your on-premises Windows environment, providing OS diversity for your log storage.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component