800-53|AU-6

Title

AUDIT REVIEW, ANALYSIS, AND REPORTING

Description

The organization:

Supplemental

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17,AC-2,AC-3,AC-6,AT-3,AU-16,AU-7,CA-7,CM-10,CM-11,CM-5,IA-3,IA-5,IR-5,IR-6,MA-4,MP-4,PE-14,PE-16,PE-3,PE-6,RA-5,SC-18,SC-19,SC-7,SI-3,SI-4,SI-7

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.17 Ensure that the --profiling argument is set to false	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.17 Ensure that the --profiling argument is set to false	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.20 Ensure that the --profiling argument is set to false	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.6.3 Configure Netflow on Strategic Ports	Cisco	CIS Cisco NX-OS L2 v1.1.0
1.7 Ensure logging data is monitored	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
1.10.10 Ensure email logging is configured for critical to emergency	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.1 Ensure That Cloud Audit Logging Is Configured Properly	GCP	CIS Google Cloud Platform v3.0.0 L1
2.1.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.11 Ensure the spoofed domains report is reviewed weekly	microsoft_azure	CIS Microsoft 365 Foundations E5 L1 v3.1.0
2.1.12 Ensure the 'Restricted entities' report is reviewed weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.1.13 Ensure malware trends are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 14.0 Sonoma v1.1.0 L1
2.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 13.0 Ventura v2.1.0 L1
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
2.3 Ensure monitoring and alerting exist for password sign-ins of SSO users	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.3.2 Ensure non-global administrator role group assignments are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.4 Ensure monitoring and alerting exist for password sign-in without MFA	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.4.1.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
2.5 Ensure monitoring and alerting exist for creation, update and deletion of security integrations	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.5.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 12.0 Monterey v3.1.0 L1
2.5.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.2 Ensure Firewall Is Enabled	Unix	CIS Apple macOS 10.14 v2.0.0 L1
2.6 Ensure monitoring and alerting exist for changes to network policies and associated objects	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.7 Ensure monitoring and alerting exist for SCIM token creation	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.8 Ensure monitoring and alerting exists for new share exposures	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.9 Ensure monitoring and alerting exists for sessions from unsupported Snowflake Connector for Python and JDBC and ODBC drivers	Snowflake	CIS Snowflake Foundations v1.0.0 L2
2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks	GCP	CIS Google Cloud Platform v3.0.0 L1
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated every 20 minutes or less on weekday 8a-5p'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekday 6p-7a'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekends'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'daily summaries are being prepared'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.13 Ensure centralized and remote logging is configured	Unix	CIS Docker v1.6.0 L2 Docker Linux
3.1 (L1) Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 7.0 v1.4.0 L1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC

Detections

Analytics