800-53|AU-11

Title

AUDIT RECORD RETENTION

Description

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-4,AU-5,AU-9,MP-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P3

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4.4.3 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.4.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.4.6 Set 'System: Maximum Log Size (KB)' to 'Enabled:20480 or greater'	Windows	CIS Windows 8 L1 v1.0.0
1.7.9 - Miscellaneous Enhancements - AIX Auditing - 'cron audit rotation has been implemented'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
1.10.10 Ensure email logging is configured for critical to emergency	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0
2.1.2 Ensure 'Retain deleted items for the specified number of days' is set to '14'	Windows	CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required.	amazon_aws	CIS Amazon Web Services Foundations L2 3.0.0
2.1.5 Ensure 'Keep deleted mailboxes for the specified number of days' is set to '30'	Windows	CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.1.6 Ensure 'Do not permanently delete items until the database has been backed up' is set to 'True'	Windows	CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilities	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 DC
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 MS
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 DC
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.10.56.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller
18.10.56.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 DC
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 MS
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 DC
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
18.10.56.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS
18.10.56.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller

Detections

Analytics