800-53|AU-9(2)

Title

AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

Description

The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.

Supplemental

This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

Reference Item Details

Related: AU-11,AU-4,AU-5

Category: AUDIT AND ACCOUNTABILITY

Parent Title: PROTECTION OF AUDIT INFORMATION

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.10.4 Ensure 'syslog hosts' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
2.1.1 - Configuring syslog - local logging - '*.info;auth.none entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - '/var/adm/authlog exists'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - '/var/adm/syslog exists'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - 'auth.info entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - '*.info;auth.none remote entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - 'auth.info remote entry exists in /etc/syslog.conf'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.1.3 - Configuring syslog - remote messagesUnixCIS AIX 5.3/6.1 L2 v1.1.0
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.12 Configure centralized and remote loggingUnixCIS Docker 1.12.0 v1.0.0 L2 Docker
2.12 Configure centralized and remote loggingUnixCIS Docker 1.11.0 v1.0.0 L2 Docker
2.12 Configure centralized and remote loggingUnixCIS Docker 1.13.0 v1.0.0 L2 Docker
2.12 Ensure centralized and remote logging is configuredUnixCIS Docker Community Edition v1.1.0 L2 Docker
3.1 Ensure a centralized location is configured to collect ESXi host core dumpsUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
3.3 Configure remote logging for ESXi hostsVMwareCIS VMware ESXi 5.5 v1.2.0 Level 1
3.4 Configure remote logging for ESXi hostsVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
4 - Send logs to a remote serverUnixTNS Best Practice JBoss 7 Linux
4.1.1.4 Ensure audit logs are stored on a different system.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.1.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
4.2.1.3 Ensure rsyslog default file permissions configuredUnixCIS Amazon Linux v2.1.0 L1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log hostUnixCIS Aliyun Linux 2 L1 v1.0.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.confUnixCIS Amazon Linux v2.1.0 L1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.conf/rsyslogd.UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.conf/rsyslogd.UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - $InputTCPServerRunUnixCIS Aliyun Linux 2 L1 v1.0.0
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - $ModLoadUnixCIS Aliyun Linux 2 L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Distribution Independent Linux Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Distribution Independent Linux Server L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Debian Family Server L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Debian Family Workstation L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'WindowsCIS Windows 7 Workstation Level 1 v3.2.0