5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited

Information

Remote access to SharePoint security functions (e.g., user management, audit log management, etc.) and security relevant information requires the activity be audited by the organization.
Rationale:
Any remote administrative or security related access to the SharePoint farm must be audited in order to track system activity, assist in diagnosing system issues and provide evidence needed for forensic investigations post security incident. It is also important to verify and validate the security controls that are in place on the platform.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure audit settings at the site collection level for each site collection level subject to auditing per organizational requirements:
Navigate to Site Collection Administration:
1. Click on Settings.
2. Click on Site Settings.
3. Click Site collection audit settings.
4. Select the events that are required to be audited.
5. Click OK.

See Also

https://workbench.cisecurity.org/files/2031