800-53|AU-5(4)

Title

SHUTDOWN ON FAILURE

Description

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

Supplemental

Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-15

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'	Unix	CIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'	Unix	CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.20 Ensure the auditing processing failures are handled.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'	Unix	CIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = halt	Unix	CIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = email	Unix	CIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'	Unix	CIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
Audit: Shut down system immediately if unable to log security audits	Windows	MSCT Windows Server 2012 R2 DC v1.0.0
Audit: Shut down system immediately if unable to log security audits	Windows	MSCT Windows Server 2012 R2 MS v1.0.0
CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging permit-hostdown	Cisco	DISA STIG Cisco ASA VPN v2r1
CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging queue	Cisco	DISA STIG Cisco ASA VPN v2r1
Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'	Unix	Tenable Cisco Firepower Management Center OS Best Practices Audit
Ensure system is disabled when audit logs are full - 'space_left_action = email'	Unix	Tenable Cisco Firepower Management Center OS Best Practices Audit
IBM i : Auditing End Action (QAUDENDACN) - 'NOTIFY or PWRDWNSYS'	AS/400	IBM System i Security Reference for V7R1 and V6R1
IBM i : Auditing End Action (QAUDENDACN) - 'NOTIFY or PWRDWNSYS'	AS/400	IBM System i Security Reference for V7R2
IBM i : Auditing End Action (QAUDENDACN) - 'NOTIFY or PWRDWNSYS'	AS/400	IBM System i Security Reference for V7R3
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY'	AS/400	IBM iSeries Security Reference v5r4
SPLK-CL-000180 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.	Splunk	DISA STIG Splunk Enterprise 8.x for Linux v2r1 STIG REST API
SPLK-CL-000310 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.	Splunk	DISA STIG Splunk Enterprise 7.x for Windows v3r1 REST API
SQL2-00-012800 - SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.	MS_SQLDB	DISA STIG SQL Server 2012 DB Instance Security v1r20

Detections

Analytics