800-53|AU-14

Title

SESSION AUDIT

Description

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

Supplemental

Session audits include, for example, monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, or standards.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AU-11,AU-4,AU-5,AU-9

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P0

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AIX7-00-002023 - AIX must start audit at boot.	Unix	DISA STIG AIX 7.x v2r9
AOSX-15-001003 - The macOS system must initiate session audits at system startup	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-13-001003 - The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.	Unix	DISA STIG Apple macOS 13 v1r3
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - log_config_module	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - log_config_module	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6 Middleware
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - LogFormat	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6 Middleware
AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - LogFormat	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6
AS24-W1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Security Auditing	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enable Security Auditing	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
CISC-L2-000060 - The Cisco switch must be configured for authorized users to select a user session to capture.	Cisco	DISA STIG Cisco NX-OS Switch L2S v2r3
CISC-L2-000070 - The Cisco switch must be configured for authorized users to remotely view, in real time, all content related to an established user session from a component separate from The Cisco switch.	Cisco	DISA STIG Cisco NX-OS Switch L2S v2r3
CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.	Unix	DISA STIG Kubernetes v1r11
DB2X-00-001000 - DB2 must initiate session auditing upon startup - AUDIT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - CHECKING	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - CONTEXT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - EXECUTE	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - OBJMAINT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - Review user policies	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - SECMAINT	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - SYSADMIN	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-001000 - DB2 must initiate session auditing upon startup - VALIDATE	IBM_DB2DB	DISA STIG IBM DB2 v10.5 LUW v2r1 Database
DKER-EE-001080 - The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r1
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r1
EP11-00-001400 - The EDB Postgres Advanced Server must initiate support of session auditing upon startup.	PostgreSQLDB	EDB PostgreSQL Advanced Server v11 DB Audit v2r3
FNFG-FW-000155 - The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.	FortiGate	DISA Fortigate Firewall STIG v1r3
IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.	Windows	DISA IIS 10.0 Site v2r9
IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events.	Windows	DISA IIS 10.0 Server v2r10
IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.	Windows	DISA IIS 10.0 Server v2r10
IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session	Windows	DISA IIS 8.5 Site v2r9
IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.	Windows	DISA IIS 8.5 Site v2r9
IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events.	Windows	DISA IIS 8.5 Server v2r7
IISW-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 8.5 web server must be enabled.	Windows	DISA IIS 8.5 Server v2r7

Detections

Analytics