800-53|AU-6(3)

Title

CORRELATE AUDIT REPOSITORIES

Description

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

Supplemental

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-12,IR-4

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT REVIEW, ANALYSIS, AND REPORTING

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.13 Ensure centralized and remote logging is configured	Unix	CIS Docker v1.7.0 L2 Docker - Linux
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Workstation L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 15 Server L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 12 v3.2.0 L1 Server
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 12 v3.2.0 L1 Workstation
4.2.2.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.2.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.2.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
4.2.2.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
4.7 (L1) Host must configure a persistent log location for all locally stored audit records	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
4.8 (L1) Host must store one week of audit records	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
4.9 (L1) Host must transmit audit records to a remote log collector	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Amazon Linux 2023 Server L1 v1.0.0
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Amazon Linux 2 v3.0.0 L1
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
5.1.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Debian 10 Server L1 v2.0.0
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Debian 10 Workstation L1 v2.0.0
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Server
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Workstation
5.1.1.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian 10 Server L1 v2.0.0
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian 10 Workstation L1 v2.0.0
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Server
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
5.1.2.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Workstation
5.1.2.5 Ensure journald is not configured to send logs to rsyslog	Unix	CIS Oracle Linux 8 Server L1 v3.0.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS

Detections

Analytics