800-53|AU-9

Title

PROTECTION OF AUDIT INFORMATION

Description

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-6,MP-2,MP-4,PE-2,PE-3,PE-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.11 Ensure separate partition exists for /var/log/audit	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.1.11 Ensure separate partition exists for /var/log/audit	Unix	CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.1.13 Ensure separate partition exists for /var/log/audit	Unix	CIS Amazon Linux 2 STIG v1.0.0 L2
1.2 Ensure Snowflake SCIM integration is configured to automatically provision and deprovision users and groups (i.e. roles)	Snowflake	CIS Snowflake Foundations v1.0.0 L2
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.8 Verify that RBAC is enabled	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the healthz endpoint is protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.1 Ensure that controller manager healthz endpoints are protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.10.0 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4 Ensure 'application pool identity' is configured for all application pools	Windows	CIS IIS 10 v1.2.1 Level 1
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.5.7 Ensure that the --wal-dir argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.7 Ensure that the --wal-dir argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.8 Ensure that the --max-wals argument is set to 0	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.8 Ensure that the --max-wals argument is set to 0	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.10.4 Ensure 'syslog hosts' is configured correctly	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.15 Ensure IAM Users Receive Permissions Only Through Groups	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0
1.18 Ensure IAM instance roles are used for AWS resource access from instances	amazon_aws	CIS Amazon Web Services Foundations L2 3.0.0
2.001 - Permissions for event logs must conform to minimum requirements - application.evtx	Windows	DISA Windows Vista STIG v6r41
2.001 - Permissions for event logs must conform to minimum requirements - security.evtx	Windows	DISA Windows Vista STIG v6r41
2.001 - Permissions for event logs must conform to minimum requirements - system.evtx	Windows	DISA Windows Vista STIG v6r41
2.1 Ensure that IP addresses are mapped to usernames	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L2
2.1 Ensure that IP addresses are mapped to usernames	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID Agents	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - Zones	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L2
2.1.1 - Configuring syslog - local logging - '*.info;auth.none entry exists in /etc/syslog.conf'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - config	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - config	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - current	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - current	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0

Detections

Analytics