800-53|AU-11

Title

AUDIT RECORD RETENTION

Description

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-4,AU-5,AU-9,MP-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P3

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.3.1 Set 'Retention method for system log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.1 Set 'Retention method for system log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.3.3 Set 'Retention method for security log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.3.3 Set 'Retention method for security log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.6 Set 'Retention method for application log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.3.6 Set 'Retention method for application log' to 'Overwrites events as needed'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.7 Configure 'Retain system log'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.3.7 Configure 'Retain system log'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.8 Configure 'Retain security log'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.8 Configure 'Retain security log'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.3.9 Configure 'Retain application log'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.3.9 Configure 'Retain application log'	Windows	CIS Windows 2003 DC v3.1.0
1.2.4.4.3 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.4.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.4.6 Set 'System: Maximum Log Size (KB)' to 'Enabled:20480 or greater'	Windows	CIS Windows 8 L1 v1.0.0
1.4.2 Application: Retain old events	Windows	CIS Windows 2008 Enterprise v1.2.0
1.4.2 Application: Retain old events	Windows	CIS Windows 2008 SSLF v1.2.0
1.4.4 Security: Retain old events	Windows	CIS Windows 2008 Enterprise v1.2.0
1.4.4 Security: Retain old events	Windows	CIS Windows 2008 SSLF v1.2.0
1.4.6 System: Retain old events	Windows	CIS Windows 2008 Enterprise v1.2.0
1.4.6 System: Retain old events	Windows	CIS Windows 2008 SSLF v1.2.0
1.7.1 Increase the retention time for system.log and secure.log '/var/log/secure.log'	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.7.1 Increase the retention time for system.log and secure.log '/var/log/system.log'	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.7.9 - Miscellaneous Enhancements - AIX Auditing - 'cron audit rotation has been implemented'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
1.9.7 Configure log file size limit	Unix	CIS Apache Tomcat5.5/6.0 L2 v1.0
1.10.10 Ensure email logging is configured for critical to emergency	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 DC
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 MS
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 DC
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 DC
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server

Detections

Analytics