800-53|AU-4(1)

Title

TRANSFER TO ALTERNATE STORAGE

Description

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.

Supplemental

Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT STORAGE CAPACITY

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
4.1.2.3 Ensure audit system is set to single when the disk is full.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.6 Ensure audit system action is defined for sending errors	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.8 Ensure audit logs are stored on a different system.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.9 Ensure audit logs on separate system are encrypted.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - direction	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - path	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - type	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.12 Ensure action is taken when audisp-remote buffer is full	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.13 Ensure off-loaded audit logs are labeled.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.7 Enable use of the au-remote plugin	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Ensure off-load of audit logs - direction	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - path	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - type	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.10 Ensure off-loaded audit logs are labeled.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'	Unix	CIS v1.1.0 Oracle 11g OS L1
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 1
4.11 init.ora - 'Specify redo logging must be successful.'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 1
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly' (STIG only)	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly' (STIG only)	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.	Unix	DISA STIG AIX 7.x v3r1
AIX7-00-002131 - AIX must implement a remote syslog server that is documented using site-defined procedures.	Unix	DISA STIG AIX 7.x v3r1
ALMA-09-052160 - AlmaLinux OS 9 audispd-plugins package must be installed.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052270 - AlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052380 - AlmaLinux OS 9 must take appropriate action when the internal event queue is full.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052490 - AlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052600 - AlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052710 - AlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052820 - AlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-052930 - AlmaLinux OS 9 must have the rsyslog package installed.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-053040 - AlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
ALMA-09-053150 - The rsyslog service on AlmaLinux OS 9 must be active.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r1
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - logging host	Arista	DISA STIG Arista MLS DCS-7000 Series NDM v1r4
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - trap logging	Arista	DISA STIG Arista MLS DCS-7000 Series NDM v1r4
ARST-ND-000850 - The Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.	Arista	DISA STIG Arista MLS EOS 4.2x NDM v2r1
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
Auditing and logging - server	ArubaOS	ArubaOS Switch 16.x Hardening Guide v1.0.0
Big Sur - Off-Load Audit Records	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
CASA-ND-001410 - The Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.	Cisco	DISA STIG Cisco ASA NDM v2r2
CD12-00-011300 - PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.	PostgreSQLDB	DISA STIG Crunchy Data PostgreSQL DB v3r1
CISC-ND-001310 - The Cisco router must be configured to off-load log records onto a different system than the system being audited.	Cisco	DISA STIG Cisco IOS-XR Router NDM v3r2
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited.	Cisco	DISA STIG Cisco NX-OS Switch NDM v3r2
CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).	Cisco	DISA STIG Cisco IOS XE Router NDM v3r2
CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the ISSO.	Cisco	DISA STIG Cisco IOS Router NDM v3r2

Detections

Analytics