Accounting / Auditing

            Accounting or auditing is tracking and monitoring all the
            activity on a system and being able to associate that activity with
            the entity that performed that activity. This is one reason that
            User IDs must be unique and able to be linked to an individual
            person or process. The accounting process creates a log of all
            activities that can be used in investigations, review, and training
            purposes.

            The logs should record all activity on the system. All
            administrative changes were made, login attempts, and any
            errors that occurred on the system. Since the logs will often
            contain sensitive information or reports on improper activity, the
            logs should be protected from unauthorized access or
            modification. Even administrators should not have the authority
            to changelog files.

            Some organizations will use clipping levels to reduce the
            amount of data in a log. A clipping level sets a threshold for
            activity and will not record repeated errors or take action until a
            certain threshold has been reached. A user, for example, that
            tries to log in with the wrong password will not be locked out
            after only one attempt, but will instead be allowed to try three or
            four times before locking out the account.

            In this case, the threshold is set to represent the difference
            between normal human error and what could be a malicious
            attack. A user should be able to log in correctly within three or
            four tries.  If they cannot, then it is probable that they will not
            remember their password. This saves the helpdesk from too
            many random passwords reset requests just because someone
            mistyped their password once or twice.