Detections
Analytics

CSCv6|6.2

Title

Validate audit log settings for each hardware device and the software installed on it.

Description

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Reference Item Details

Category: Maintenance, Monitoring, and Analysis of Audit Logs

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.3.1 L1 Linux Host OS
1.1.3.2.2 Enable 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.2 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.3 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.8 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.9 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.11 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.4 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.7 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.8 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.9 Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.14 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.0 L1
1.1.16 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.2.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.2.0 L1 Linux Host OS
1.2.21 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.22 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes Benchmark v1.5.1 L1
1.2.22 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.5 Ensure auditing is configured for the docker daemonUnixCIS Docker Community Edition v1.1.0 L1 Linux Host OS
1.5.3 ETW Logging - Default ETWWindowsCIS IIS 8.0 v1.4.0 Level 1
1.5.3 ETW Logging - Default W3CWindowsCIS IIS 8.0 v1.4.0 Level 1
1.5.3 ETW Logging - Sites logFormat W3CWindowsCIS IIS 8.0 v1.4.0 Level 1
1.5.3 ETW Logging - Sites logFormat W3C with ETW targetWindowsCIS IIS 8.0 v1.4.0 Level 1
1.9.3 Ensure className is set correctly in context.xmlUnixCIS Apache Tomcat5.5/6.0 L2 v1.0
1.9.5 Ensure pattern in context.xml is correctUnixCIS Apache Tomcat5.5/6.0 L1 v1.0
17.6.1 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 DC L1 v2.1.0
17.6.1 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 MS L1 v2.1.0
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 10 Enterprise (Release 1803) v1.5.0 Level 1
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0