800-53|AU-11

Title

AUDIT RECORD RETENTION

Description

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

Reference Item Details

Related: AU-4,AU-5,AU-9,MP-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P3

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.4.3 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.4.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.4.6 Set 'System: Maximum Log Size (KB)' to 'Enabled:20480 or greater'WindowsCIS Windows 8 L1 v1.0.0
1.7.9 - Miscellaneous Enhancements - AIX Auditing - 'cron audit rotation has been implemented'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removedamazon_awsCIS Amazon Web Services Foundations L1 1.5.0
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required.amazon_awsCIS Amazon Web Services Foundations L2 1.5.0
3 - Audit Logging - HandlerUnixTNS Best Practice JBoss 7 Linux
3.1.1 Retain system.log for 90 or more daysUnixCIS Apple OSX 10.9 L1 v1.3.0
3.1.1 Retain system.log for 90 or more daysUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
3.1.1 Retain system.log for 90 or more daysUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
3.1.2 Retain appfirewall.log for 90 or more daysUnixCIS Apple OSX 10.9 L1 v1.3.0
3.1.2 Retain appfirewall.log for 90 or more daysUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
3.1.2 Retain appfirewall.log for 90 or more daysUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
3.1.3 Retain authd.log for 90 or more daysUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
3.1.3 Retain authd.log for 90 or more daysUnixCIS Apple OSX 10.9 L1 v1.3.0
3.1.3 Retain authd.log for 90 or more daysUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
3.3 Ensure security auditing retentionUnixCIS Apple macOS 10.12 L1 v1.2.0
3.3 Retain install.log for 365 or more daysUnixCIS Apple macOS 10.13 L1 v1.1.0
3.4 Ensure DLP policies are enabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.5.0
3.4 Ensure security auditing retentionUnixCIS Apple macOS 10.13 L1 v1.1.0
3.5 Ensure DLP policies are enabled for Microsoft Teamsmicrosoft_azureCIS Microsoft 365 Foundations E5 L1 v1.5.0
3.5 Retain install.log for 365 or more daysUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
3.5 Retain install.log for 365 or more daysUnixCIS Apple OSX 10.9 L1 v1.3.0
3.5 Retain install.log for 365 or more daysUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
3.5 Retain install.log for 365 or more daysUnixCIS Apple macOS 10.12 L1 v1.2.0
4.5 Enable Login Records - Check if loginlog in /etc/logadm.conf is appropiately setUnixCIS Solaris 10 L1 v5.2
5.4 Ensure that new entries are appended to the end of the log fileUnixCIS MongoDB 4 L2 OS Linux v1.0.0
5.4 Ensure that new entries are appended to the end of the log fileWindowsCIS MongoDB 4 L2 OS Windows v1.0.0
5.4 Ensure that new entries are appended to the end of the log fileWindowsCIS MongoDB 5 L2 OS Windows v1.1.0
5.4 Ensure that new entries are appended to the end of the log fileUnixCIS MongoDB 5 L2 OS Linux v1.1.0
18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0