Detections
Analytics

800-53|AU-11

Title

AUDIT RECORD RETENTION

Description

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

Reference Item Details

Related: AU-4,AU-5,AU-9,MP-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P3

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.4.3 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.4.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.4.6 Set 'System: Maximum Log Size (KB)' to 'Enabled:20480 or greater'WindowsCIS Windows 8 L1 v1.0.0
1.7.9 - Miscellaneous Enhancements - AIX Auditing - 'cron audit rotation has been implemented'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removedamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
2.1.2 Ensure 'Retain deleted items for the specified number of days' is set to '14'WindowsCIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required.amazon_awsCIS Amazon Web Services Foundations L2 3.0.0
2.1.5 Ensure 'Keep deleted mailboxes for the specified number of days' is set to '30'WindowsCIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.1.6 Ensure 'Do not permanently delete items until the database has been backed up' is set to 'True'WindowsCIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilitiesVMwareCIS VMware ESXi 8.0 v1.1.0 L1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + NG
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + NG
18.10.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG