Detections
Analytics

800-53|AU-9

Title

PROTECTION OF AUDIT INFORMATION

Description

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

Reference Item Details

Related: AC-3,AC-6,MP-2,MP-4,PE-2,PE-3,PE-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Ensure Snowflake SCIM integration is configured to automatically provision and deprovision users and groups (i.e. roles)SnowflakeCIS Snowflake Foundations v1.0.0 L2
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.10.0 L1 Master
1.2.8 Verify that RBAC is enabledOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the healthz endpoint is protected by RBACOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.3 Ensure only defined users have access to the file systemUnixCIS IBM WebSphere Liberty v1.0.0 L1
1.3.1 Ensure that controller manager healthz endpoints are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.5.7 Ensure that the --wal-dir argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.8 Ensure that the --max-wals argument is set to 0UnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.10.4 Ensure 'syslog hosts' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
2.1.1 - Configuring syslog - local logging - '*.info;auth.none entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - 'auth.info entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - '*.info;auth.none remote entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - 'auth.info remote entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.3 - Configuring syslog - remote messagesUnixCIS AIX 5.3/6.1 L2 v1.1.0
2.5 Ensure that the --peer-client-cert-auth argument is set to trueOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
2.12 Configure centralized and remote loggingUnixCIS Docker 1.12.0 v1.0.0 L2 Docker
2.12 Configure centralized and remote loggingUnixCIS Docker 1.11.0 v1.0.0 L2 Docker
3.1.5 Secure default database location - 'DFTDBPATH value'UnixCIS IBM DB2 OS L2 v1.2.0
3.3 Configure remote logging for ESXi hostsVMwareCIS VMware ESXi 5.5 v1.2.0 Level 1
3.4 Configure remote logging for ESXi hostsVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
3.4 Ensure Apache Directories and Files Are Owned By RootUnixCIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware
3.4 Ensure Apache Directories and Files Are Owned By RootUnixCIS Apache HTTP Server 2.4 L1 v2.1.0
3.5 Review Superuser/Admin Roles - clusterAdminMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - dbAdminAnyDatabaseMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - dbOwnerMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - hostManagerMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - readWriteAnyDatabaseMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - userAdminMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review Superuser/Admin Roles - userAdminAnyDatabaseMongoDBCIS MongoDB 4 L2 DB v1.0.0
3.5 Review User-Defined RolesMongoDBCIS MongoDB 3.6 Database Audit L2 v1.1.0
3.09 init.ora - 'audit_file_dest parameter settings'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
3.15 sqlnet.ora - 'log_directory_client parameter settings'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4 - Send logs to a remote serverUnixTNS Best Practice JBoss 7 Linux
4.1.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
4.1.4.1 Ensure Audit logs are owned by root and mode 0600 or less permissiveUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
4.2.1.3 Ensure rsyslog default file permissions configuredUnixCIS Amazon Linux v2.1.0 L1
4.2.1.3 Ensure rsyslog default file permissions configured - rsyslog.conf/rsyslog.dUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
4.2.1.3 Ensure rsyslog default file permissions configured - rsyslog.conf/rsyslog.dUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.confUnixCIS Amazon Linux v2.1.0 L1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.conf/rsyslogd.UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.conf/rsyslogd.UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Distribution Independent Linux Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Distribution Independent Linux Server L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
4.18 init.ora - 'audit_sys_operations = TRUE'UnixCIS v1.1.0 Oracle 11g OS L2