800-53|AU-2

Title

AUDIT EVENTS

Description

The organization:

Supplemental

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

Reference Item Details

Related: AC-17,AC-6,AU-12,AU-3,MA-4,MP-2,MP-4,SI-4

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.3.1 L1 Linux Host OS
1.1.9 Set 'aaa accounting exec'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.9 Set 'aaa accounting exec'CiscoCIS Cisco IOS 17 L2 v1.0.0
1.1.10 Set 'aaa accounting network'CiscoCIS Cisco IOS 17 L2 v1.0.0
1.1.10 Set 'aaa accounting network'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.11 Set 'aaa accounting system'CiscoCIS Cisco IOS 17 L2 v1.0.0
1.1.11 Set 'aaa accounting system'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.2.1 Ensure dm-verity is enabledUnixCIS Google Container-Optimized OS L1 Server v1.0.0
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.21 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.1 Ensure AIDE is installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
1.3.1 Ensure AIDE is installedUnixCIS Red Hat EL7 Server L1 v3.1.1
1.3.1 Ensure AIDE is installedUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.3.1 Ensure AIDE is installedUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.3.1 Ensure AIDE is installedUnixCIS Oracle Linux 7 Server L1 v3.1.1
1.3.1 Ensure AIDE is installedUnixCIS Oracle Linux 7 Workstation L1 v3.1.1
1.3.1 Ensure AIDE is installedUnixCIS Debian 8 Workstation L1 v2.0.2
1.3.1 Ensure AIDE is installedUnixCIS CentOS 7 v3.1.2 Server L1
1.3.1 Ensure AIDE is installedUnixCIS CentOS 7 v3.1.2 Workstation L1
1.3.1 Ensure AIDE is installedUnixCIS Oracle Linux 8 Server L1 v2.0.0
1.3.1 Ensure AIDE is installedUnixCIS Oracle Linux 8 Workstation L1 v2.0.0
1.3.1 Ensure AIDE is installedUnixCIS Red Hat EL7 Workstation L1 v3.1.1
1.3.1 Ensure AIDE is installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.3.1 Ensure AIDE is installedUnixCIS AlmaLinux OS 8 Workstation L1 v2.0.0