800-53|AU-5(4)

Title

SHUTDOWN ON FAILURE

Description

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

Supplemental

Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-15

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.75 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.75 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.10 Audit: Shut down system immediately if unable to log security audits	Windows	CIS Windows 2008 Enterprise v1.2.0
1.2.10 Audit: Shut down system immediately if unable to log security audits	Windows	CIS Windows 2008 SSLF v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
3.010 - The system must shut down upon audit processing failure, unless availability is an overriding concern.	Unix	Tenable Fedora Linux Best Practices v2.0.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'	Unix	CIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Ubuntu Linux 20.04 LTS Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Red Hat EL7 Server L2 v3.0.1
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Red Hat EL7 Workstation L2 v3.0.1
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Oracle Linux 7 Server L2 v3.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Red Hat EL8 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Oracle Linux 7 Workstation L2 v3.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	CIS Red Hat EL8 Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - admin_space_left_action	Unix	CIS SUSE Linux Enterprise 15 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - admin_space_left_action	Unix	CIS SUSE Linux Enterprise 15 Workstation L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = halt	Unix	CIS CentOS Linux 8 Server L2 v1.0.0
4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = halt	Unix	CIS CentOS Linux 8 Workstation L2 v1.0.0
4.1.20 Ensure the auditing processing failures are handled.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'	Unix	CIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = halt	Unix	CIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = email	Unix	CIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'	Unix	CIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
AOSX-09-001355 - The operating system must shut down by default upon audit failure (unless availability is an overriding concern).	Unix	DISA STIG Apple Mac OSX 10.9 v1r2
AOSX-10-001355 - The operating system must shut down by default upon audit failure (unless availability is an overriding concern).	Unix	DISA STIG Apple Mac OSX 10.10 v1r5
AOSX-11-001355 - The operating system must shut down by default upon audit failure (unless availability is an overriding concern).	Unix	DISA STIG Apple Mac OSX 10.11 v1r6
AOSX-13-001355 - The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).	Unix	DISA STIG Apple Mac OSX 10.13 v2r3
AOSX-13-001355 - The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).	Unix	DISA STIG Apple Mac OSX 10.13 v2r1

Detections

Analytics