Detections
Analytics

800-53|AU-4(1)

Title

TRANSFER TO ALTERNATE STORAGE

Description

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.

Supplemental

Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred.

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT STORAGE CAPACITY

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.6.3 Prevent Syslog from accepting messages from the networkUnixCIS HP-UX 11i v1.5
3.200 - The system must be configured to use the au-remote plugin.UnixTenable Fedora Linux Best Practices v2.0.0
3.201 - The system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon - directionUnixTenable Fedora Linux Best Practices v2.0.0
3.201 - The system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon - pathUnixTenable Fedora Linux Best Practices v2.0.0
3.201 - The system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon - typeUnixTenable Fedora Linux Best Practices v2.0.0
3.0211 - The system must label all off-loaded audit logs before sending them to the central log server.UnixTenable Fedora Linux Best Practices v2.0.0
4.1.1.1 Ensure auditd is installedUnixCIS Ubuntu Linux 20.04 LTS Server L2 v1.0.0
4.1.1.1 Ensure auditd is installedUnixCIS Ubuntu Linux 20.04 LTS Workstation L2 v1.0.0
4.1.2.3 Ensure audit system is set to single when the disk is full.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.6 Ensure audit system action is defined for sending errorsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.8 Ensure audit logs are stored on a different system.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.9 Ensure audit logs on separate system are encrypted.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - directionUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - pathUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - typeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.12 Ensure action is taken when audisp-remote buffer is fullUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.13 Ensure off-loaded audit logs are labeled.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.7 Enable use of the au-remote pluginUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Ensure off-load of audit logs - directionUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - pathUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - typeUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.10 Ensure off-loaded audit logs are labeled.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'UnixCIS v1.1.0 Oracle 11g OS L1
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4.11 init.ora - 'Establish redundant physically separate locations for redo log files.'UnixCIS Oracle 9/10 OS Audit L1 v2.01
4.11 init.ora - 'Specify redo logging must be successful.'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backuppathUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backuppathUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backupsizeUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backupsizeUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin1UnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin1UnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin2UnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin2UnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bincompactUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bincompactUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - binsizeUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - binsizeUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - cmdsUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - cmdsUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - freespaceUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - freespaceUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - trailUnixDISA STIG AIX 7.x v2r1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - trailUnixDISA STIG AIX 7.x v2r3
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002131 - AIX must implement a remote syslog server that is documented using site-defined procedures.UnixDISA STIG AIX 7.x v2r9
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - logging hostAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r3
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - trap loggingAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r3