800-53|AU-5(4)

Title

SHUTDOWN ON FAILURE

Description

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

Supplemental

Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

Reference Item Details

Related: AU-15

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.20 Ensure the auditing processing failures are handled.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = haltUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = emailUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
Audit: Shut down system immediately if unable to log security auditsWindowsMSCT Windows Server 2012 R2 DC v1.0.0
Audit: Shut down system immediately if unable to log security auditsWindowsMSCT Windows Server 2012 R2 MS v1.0.0
CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.CiscoDISA STIG Cisco ASA VPN v2r2
Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'UnixTenable Cisco Firepower Management Center OS Best Practices Audit
Ensure system is disabled when audit logs are full - 'space_left_action = email'UnixTenable Cisco Firepower Management Center OS Best Practices Audit
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R1 and V6R1
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R2
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R3
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY'AS/400IBM iSeries Security Reference v5r4
SPLK-CL-000180 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.SplunkDISA STIG Splunk Enterprise 8.x for Linux v2r1 STIG REST API
SPLK-CL-000310 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.SplunkDISA STIG Splunk Enterprise 7.x for Windows v3r1 REST API
SQL2-00-012800 - SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.MS_SQLDBDISA STIG SQL Server 2012 DB Instance Security v1r20