800-53|AU-14

Title

SESSION AUDIT

Description

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

Supplemental

Session audits include, for example, monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, or standards.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AU-11,AU-4,AU-5,AU-9

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P0

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AIX7-00-002023 - AIX must start audit at boot.	Unix	DISA STIG AIX 7.x v3r1
AOSX-15-001003 - The macOS system must initiate session audits at system startup	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-13-001003 - The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.	Unix	DISA STIG Apple macOS 13 v1r4
APPL-14-001003 - The macOS system must enable security auditing.	Unix	DISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-001003 - The macOS system must enable security auditing.	Unix	DISA Apple macOS 15 (Sequoia) STIG v1r1
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - log_config_module	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - LogFormat	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1
AS24-W1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
CD12-00-008600 - PostgreSQL must initiate session auditing upon startup.	PostgreSQLDB	DISA STIG Crunchy Data PostgreSQL DB v3r1
CISC-L2-000060 - The Cisco switch must be configured for authorized users to select a user session to capture.	Cisco	DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000070 - The Cisco switch must be configured for authorized users to remotely view, in real time, all content related to an established user session from a component separate from The Cisco switch.	Cisco	DISA STIG Cisco NX-OS Switch L2S v3r1
CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.	Unix	DISA STIG Kubernetes v2r2
CNTR-R2-000060 Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.	Unix	DISA Rancher Government Solutions RKE2 STIG v2r2
DB2X-00-001000 - DB2 must initiate session auditing upon startup - AUDIT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - CHECKING	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - CONTEXT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - EXECUTE	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - OBJMAINT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - Review user policies	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - SECMAINT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - SYSADMIN	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - VALIDATE	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DKER-EE-001080 - The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r2
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r2
EP11-00-001400 - The EDB Postgres Advanced Server must initiate support of session auditing upon startup.	PostgreSQLDB	EDB PostgreSQL Advanced Server v11 DB Audit v2r4
EPAS-00-001400 - The EDB Postgres Advanced Server must initiate support of session auditing upon startup.	PostgreSQLDB	EnterpriseDB PostgreSQL Advanced Server DB v2r1
FNFG-FW-000155 - The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.	FortiGate	DISA Fortigate Firewall STIG v1r3
IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.	Windows	DISA IIS 10.0 Site v2r9
IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events.	Windows	DISA IIS 10.0 Server v2r10

Detections

Analytics