800-53|AU-6(3)

Title

CORRELATE AUDIT REPOSITORIES

Description

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

Supplemental

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-12,IR-4

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT REVIEW, ANALYSIS, AND REPORTING

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.10.10 Ensure email logging is configured for critical to emergency	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
2.2.4 Set IP address for 'logging host'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.13 Ensure centralized and remote logging is configured	Unix	CIS Docker v1.6.0 L2 Docker Linux
3.1 (L1) Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 7.0 v1.4.0 L1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
3.3 (L1) Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 7.0 v1.4.0 L1
3.3 Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Loadbalancer
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Proxy
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Webserver
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Webserver
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Loadbalancer
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Proxy
4.2 (L1) Host must transmit system logs to a remote log collector	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS AlmaLinux OS 9 Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS AlmaLinux OS 9 Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Rocky Linux 9 Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Oracle Linux 9 Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat EL9 Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Rocky Linux 9 Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat EL9 Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Oracle Linux 9 Server L1 v1.0.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise Server 11 L1 v2.1.1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise 12 v3.1.0 L1 Server
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise 12 v3.1.0 L1 Workstation
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise 15 Server L1 v1.1.1
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 15 Server L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 12 v3.1.0 L1 Workstation
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS SUSE Linux Enterprise 12 v3.1.0 L1 Server
4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver	Unix	CIS Debian 8 Workstation L1 v2.0.2
4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver	Unix	CIS Debian 8 Server L1 v2.0.2
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v2.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v2.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS

Detections

Analytics