Detections
Analytics

800-53|AU-2

Title

AUDIT EVENTS

Description

The organization:

Supplemental

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

Reference Item Details

Related: AC-17,AC-6,AU-12,AU-3,MA-4,MP-2,MP-4,SI-4

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.1.1 Syslog logging should be configuredPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - hostPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - systemPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.1.1 Syslog logging should be configured - user-idPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.1.2 SNMPv3 traps should be configuredPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L2
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - configurationPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hip matchPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - hostPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - ip-tagPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.1.1.2 SNMPv3 traps should be configured - user-idPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.1.3 Ensure 'Enable Log on High DP Load' is enabledPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.6.0 L1 Docker Linux
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.6.0 L2 Docker Linux
1.1.8 Set 'aaa accounting exec'CiscoCIS Cisco IOS 17 L2 v2.0.0
1.1.8 Set 'aaa accounting exec' - aaa accounting execCiscoCIS Cisco IOS 16 L2 v2.0.0
1.1.9 Set 'aaa accounting exec'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.9 Set 'aaa accounting network'CiscoCIS Cisco IOS 17 L2 v2.0.0
1.1.9 Set 'aaa accounting network' - aaa accounting networkCiscoCIS Cisco IOS 16 L2 v2.0.0
1.1.10 Set 'aaa accounting network'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.10 Set 'aaa accounting system'CiscoCIS Cisco IOS 17 L2 v2.0.0
1.1.10 Set 'aaa accounting system' - aaa accounting systemCiscoCIS Cisco IOS 16 L2 v2.0.0
1.1.11 Set 'aaa accounting system'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.2.1 Ensure AIDE is installedUnixCIS Debian 10 Workstation L1 v2.0.0
1.2.1 Ensure AIDE is installedUnixCIS Debian 10 Server L1 v2.0.0
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
1.2.1 Ensure AIDE is installedUnixCIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
1.2.1 Ensure dm-verity is enabledUnixCIS Google Container-Optimized OS L1 Server v1.1.0
1.2.17 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.18 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.21 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.21 Ensure that the audit logs are forwarded off the cluster for retentionOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.1 Ensure AIDE is installedUnixCIS Red Hat EL9 Server L1 v1.0.0