800-53|AU-5a.

Title

RESPONSE TO AUDIT PROCESSING FAILURES

Description

Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
4.1.2.10 Ensure the auditing processing failures are handled - System Administrator [SA] and Information System Security Officer [ISSO] at a minimum in the event of an audit processing failure.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.4 Ensure audit system is set to single when the disk is full.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
AIX7-00-002008 - AIX must be configured to generate an audit record when 75% of the audit file system is full.UnixDISA STIG AIX 7.x v3r1
APPL-14-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-W1-000160 - The Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000160 - The Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.WindowsDISA STIG Apache Server 2.4 Windows Server v3r1
Big Sur - Alert Audit Processing FailureUnixNIST macOS Big Sur v1.4.0 - All Profiles
Catalina - Alert Audit Processing FailureUnixNIST macOS Catalina v1.5.0 - All Profiles
DKER-EE-001590 - Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.UnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r2
F5BI-DM-000067 - The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.F5DISA F5 BIG-IP Device Management STIG v2r3
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_error_action'UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_error_action'UnixDISA STIG for Oracle Linux 5 v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_full_action'UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_full_action'UnixDISA STIG for Oracle Linux 5 v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 X86 v2r4
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 SPARC v2r4
IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.WindowsDISA IIS 10.0 Site v2r10
IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.WindowsDISA IIS 10.0 Server v2r10
IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.WindowsDISA IIS 10.0 Server v3r2
IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.WindowsDISA IIS 8.5 Site v2r9
IISW-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 8.5 web server must be enabled.WindowsDISA IIS 8.5 Server v2r7
Monterey - Alert Audit Processing FailureUnixNIST macOS Monterey v1.0.0 - All Profiles
OL6-00-000313 - The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.UnixDISA STIG Oracle Linux 6 v2r7
OL08-00-030020 - The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA Oracle Linux 8 STIG v2r2
OL08-00-030030 - The OL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA Oracle Linux 8 STIG v2r2
PHTN-30-000014 - The Photon operating system audit log must log space limit problems to syslog.UnixDISA STIG VMware vSphere 7.0 Photon OS v1r3
PHTN-40-000021 The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.UnixDISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
PHTN-67-000013 - The Photon operating system audit log must log space limit problems to syslog.UnixDISA STIG VMware vSphere 6.7 Photon OS v1r6
RHEL-06-000313 - The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.UnixDISA Red Hat Enterprise Linux 6 STIG v2r2
RHEL-08-030020 - The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-030030 - The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-09-252060 - RHEL 9 must forward mail from postmaster to the root account using a postfix alias.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-653070 - RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-653125 - RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-654265 - RHEL 9 must take appropriate action when a critical audit processing failure occurs.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-020040 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.UnixDISA SLES 12 STIG v3r1
SLES-12-020050 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.UnixDISA SLES 12 STIG v3r1
SLES-15-030570 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.UnixDISA SLES 15 STIG v2r2
SLES-15-030580 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.UnixDISA SLES 15 STIG v2r2
SOL-11.1-010390 - The operating system must alert designated organizational officials in the event of an audit processing failure.UnixDISA STIG Solaris 11 SPARC v3r1
SOL-11.1-010390 - The operating system must alert designated organizational officials in the event of an audit processing failure.UnixDISA STIG Solaris 11 X86 v3r1
TCAT-AS-001731 - The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.UnixDISA STIG Apache Tomcat Application Server 9 v3r1 Middleware
UBTU-16-020040 - The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030700 - The Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010300 - The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.UnixDISA STIG Ubuntu 18.04 LTS v2r15
UBTU-20-010117 - The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.UnixDISA STIG Ubuntu 20.04 LTS v2r1