800-53|AU-3(2)

Title

CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT

Description

The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

Supplemental

This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-6,AU-7

Category: AUDIT AND ACCOUNTABILITY

Parent Title: CONTENT OF AUDIT RECORDS

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - mod_proxy	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - ProxyPass	Windows	DISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - ProxyPass	Windows	DISA STIG Apache Server 2.4 Windows Server v2r1
AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - ProxyPass	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000560 - The Apache web server must be configured to provide clustering - mod_proxy	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000560 - The Apache web server must be configured to provide clustering - ProxyPass	Windows	DISA STIG Apache Server 2.4 Windows Site v1r3
AS24-W2-000560 - The Apache web server must be configured to provide clustering - ProxyPass	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
DB2X-00-007300 - DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.	Unix	DISA STIG IBM DB2 v10.5 LUW v2r1 OS Linux
DB2X-00-007300 - DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.	Unix	DISA STIG IBM DB2 v10.5 LUW v1r4 OS Linux
DB2X-00-007300 - DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.	Windows	DISA STIG IBM DB2 v10.5 LUW v1r4 OS Windows
DB2X-00-007300 - DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.	Windows	DISA STIG IBM DB2 v10.5 LUW v2r1 OS Windows
EP11-00-007700 - The EDB Postgres Advanced Server must utilize centralized management of the content captured in audit records generated by all components of the EDB Postgres Advanced Server.	PostgreSQLDB	EDB PostgreSQL Advanced Server v11 DB Audit v2r4
EP11-00-007800 - The EDB Postgres Advanced Server must provide centralized configuration of the content to be captured in audit records generated by all components of the EDB Postgres Advanced Server.	PostgreSQLDB	EDB PostgreSQL Advanced Server v11 DB Audit v2r4
GEN002870 - The system must be configured to send audit records to a remote audit server - '/boot/grub/grub.conf audit=1'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/audisp/plugins.d/syslog.conf active=yes'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/rsyslog.conf contains . @<server>'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/config streammode=on'	Unix	DISA STIG AIX 5.3 v1r2
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/config streammode=on'	Unix	DISA STIG AIX 6.1 v1r14
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/streamcmds is configured'	Unix	DISA STIG AIX 5.3 v1r2
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/streamcmds is configured'	Unix	DISA STIG AIX 6.1 v1r14
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf contains . @<server>'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf has been configured'	Unix	DISA STIG AIX 6.1 v1r14
GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf has been configured'	Unix	DISA STIG AIX 5.3 v1r2
GEN002870 - The system must be configured to send audit/system records to a remote audit server - '/boot/grub/grub.conf audit=1'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN002870 - The system must be configured to send audit/system records to a remote audit server - '/etc/audisp/plugins.d/syslog.conf active=yes'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN002870 - The system must be configured to send audit/system records to a remote audit server - 'contains . @<server>'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN005450 - The system must use a remote syslog server (log host).	Unix	DISA STIG AIX 6.1 v1r14
GEN005450 - The system must use a remote syslog server (log host).	Unix	DISA STIG AIX 5.3 v1r2
GEN005450 - The system must use a remote syslog server (loghost) - rsyslog.conf	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN005450 - The system must use a remote syslog server (loghost) - rsyslog.conf	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN005450 - The system must use a remote syslog server (loghost) - syslog.conf	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN005450 - The system must use a remote syslog server (loghost) - syslog.conf	Unix	DISA STIG for Oracle Linux 5 v2r1
MADB-10-007100 - MariaDB must utilize centralized management of the content captured in audit records generated by all components of the DBMS.	MySQLDB	DISA MariaDB Enterprise 10.x v2r1 DB
MADB-10-007200 - MariaDB must provide centralized configuration of the content to be captured in audit records generated by all components of the DBMS.	MySQLDB	DISA MariaDB Enterprise 10.x v2r1 DB
MD3X-00-000040 - MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.	Unix	DISA STIG MongoDB Enterprise Advanced 3.x v2r3 OS
MD3X-00-000600 - MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB.	Unix	DISA STIG MongoDB Enterprise Advanced 3.x v2r3 OS
MD4X-00-000100 - MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.	Unix	DISA STIG MongoDB Enterprise Advanced 4.x v1r4 OS
MD4X-00-004800 - MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB.	Unix	DISA STIG MongoDB Enterprise Advanced 4.x v1r4 OS
PGS9-00-003800 - PostgreSQL must utilize centralized management of the content captured in audit records generated by all components of PostgreSQL.	PostgreSQLDB	DISA STIG PostgreSQL 9.x on RHEL DB v2r5
PPS9-00-007700 - The EDB Postgres Advanced Server must utilize centralized management of the content captured in audit records generated by all components of the EDB Postgres Advanced Server.	PostgreSQLDB	EDB PostgreSQL Advanced Server DB Audit v2r3
PPS9-00-007800 - The EDB Postgres Advanced Server must provide centralized configuration of the content to be captured in audit records generated by all components of the EDB Postgres Advanced Server.	PostgreSQLDB	EDB PostgreSQL Advanced Server DB Audit v2r3
SQL4-00-032800 - SQL Server must utilize centralized management of the content captured in audit records generated by all components of the DBMS.	MS_SQLDB	DISA STIG SQL Server 2014 Instance DB Audit v2r4
SYMP-AG-000210 - Symantec ProxySG must use a centralized log server.	BlueCoat	DISA Symantec ProxySG Benchmark ALG v1r1
SYMP-AG-000220 - Symantec ProxySG must be configured to send the access logs to the centralized log server continuously.	BlueCoat	DISA Symantec ProxySG Benchmark ALG v1r1
VCPG-67-000020 - VMware Postgres must have log collection enabled.	Unix	DISA STIG VMware vSphere 6.7 PostgreSQL v1r2
VCPG-70-000017 - VMware Postgres must have log collection enabled.	Unix	DISA STIG VMware vSphere 7.0 PostgreSQL v1r2

Detections

Analytics