800-53|AU-2

Title

AUDIT EVENTS

Description

The organization:

Supplemental

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

Reference Item Details

Related: AC-17,AC-6,AU-12,AU-3,MA-4,MP-2,MP-4,SI-4

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.1.1 Syslog logging should be configuredPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.1.1.1 Syslog logging should be configuredPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.2 SNMPv3 traps should be configuredPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L2
1.1.1.2 SNMPv3 traps should be configuredPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.7.0 L1 Docker - Linux
1.1.4.1 exec accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.2 command accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.3 network accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.4 system accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.6 Set 'aaa accounting' to log all privileged use commands using 'commands 15'CiscoCIS Cisco IOS XE 16.x v2.1.0 L2
1.1.6 Set 'aaa accounting' to log all privileged use commands using 'commands 15'CiscoCIS Cisco IOS XE 17.x v2.1.0 L2
1.1.8 Set 'aaa accounting exec'CiscoCIS Cisco IOS XE 16.x v2.1.0 L2
1.1.8 Set 'aaa accounting exec'CiscoCIS Cisco IOS XE 17.x v2.1.0 L2
1.1.9 Set 'aaa accounting exec'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.9 Set 'aaa accounting network'CiscoCIS Cisco IOS XE 16.x v2.1.0 L2
1.1.9 Set 'aaa accounting network'CiscoCIS Cisco IOS XE 17.x v2.1.0 L2
1.1.10 Set 'aaa accounting network'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.10 Set 'aaa accounting system'CiscoCIS Cisco IOS XE 17.x v2.1.0 L2
1.1.10 Set 'aaa accounting system'CiscoCIS Cisco IOS XE 16.x v2.1.0 L2
1.1.11 Set 'aaa accounting system'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Workstation
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Server
1.2.1 Ensure AIDE is installedUnixCIS Debian 10 Workstation L1 v2.0.0
1.2.1 Ensure AIDE is installedUnixCIS Debian 10 Server L1 v2.0.0
1.2.1 Ensure dm-verity is enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
1.2.16 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.10.0 L1 Master
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.10.1 Ensure 'logging' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.10.2 Ensure 'logging to monitor' is disabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.10.3 Ensure 'syslog hosts' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.10.4 Ensure 'logging with the device ID' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.10.5 Ensure 'logging history severity level' is set to greater than or equal to '5'CiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0