800-53|AU-5(2)

Title

REAL-TIME ALERTS

Description

The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

Supplemental

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.	Windows	DISA Windows Vista STIG v6r41
3.340 - The system must immediately notify the SA and ISSO via email when the threshold for the max audit storage capacity is reached.	Unix	Tenable Fedora Linux Best Practices v2.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Red Hat EL8 Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Red Hat EL7 Workstation L2 v3.0.1
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Ubuntu Linux 20.04 LTS Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Oracle Linux 7 Server L2 v3.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Red Hat EL7 Server L2 v3.0.1
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Oracle Linux 7 Workstation L2 v3.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	CIS Red Hat EL8 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action	Unix	CIS SUSE Linux Enterprise 15 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action	Unix	CIS SUSE Linux Enterprise 15 Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = email	Unix	CIS CentOS Linux 8 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = email	Unix	CIS CentOS Linux 8 Workstation L2 v1.0.0
AOSX-09-000310 - System must provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.9 v1r2
AOSX-10-000310 - System must provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.10 v1r5
AOSX-11-000310 - The system must provide an immediate real-time alert of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.11 v1r6
AOSX-13-000310 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000310 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.13 v2r1
AOSX-13-000310 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.13 v2r3
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.14 v2r1
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.14 v2r4
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.14 v2r5
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple macOS 12 v1r8
APPL-13-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.	Unix	DISA STIG Apple macOS 13 v1r4
APPL-14-001031 - The macOS system must configure audit failure notification.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
ARST-ND-000790 - The Arista network device must be configured to capture all DOD auditable events.	Arista	DISA STIG Arista MLS EOS 4.2x NDM v1r1
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Configure Audit Failure Notification	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-address	Cisco	DISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Logging Errors	Cisco	DISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Recipient-address	Cisco	DISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Severity	Cisco	DISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - smtp	Cisco	DISA STIG Cisco ASA FW v1r4
CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging host	Cisco	DISA STIG Cisco ASA NDM v1r6
CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging trap	Cisco	DISA STIG Cisco ASA NDM v1r6
CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging host	Cisco	DISA STIG Cisco ASA VPN v1r3
CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging trap	Cisco	DISA STIG Cisco ASA VPN v1r3
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.	Cisco	DISA STIG Cisco IOS Router NDM v2r8
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.	Cisco	DISA STIG Cisco IOS-XR Router NDM v2r5
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.	Cisco	DISA STIG Cisco IOS XE Router NDM v2r9
CISC-ND-001000 - The Cisco switch must be configured to generate an alert for all audit failure events.	Cisco	DISA STIG Cisco IOS Switch NDM v2r9

Detections

Analytics