800-53|AU-4(1)

Title

TRANSFER TO ALTERNATE STORAGE

Description

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.

Supplemental

Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred.

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT STORAGE CAPACITY

Family: AUDIT AND ACCOUNTABILITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
4.1.1.1 Ensure auditd is installedUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
4.1.1.1 Ensure auditd is installedUnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
4.1.2.3 Ensure audit system is set to single when the disk is full.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.6 Ensure audit system action is defined for sending errorsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.8 Ensure audit logs are stored on a different system.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.9 Ensure audit logs on separate system are encrypted.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - directionUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - pathUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - typeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.12 Ensure action is taken when audisp-remote buffer is fullUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.13 Ensure off-loaded audit logs are labeled.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.7 Enable use of the au-remote pluginUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Ensure off-load of audit logs - directionUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - pathUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.8 Enure off-load of audit logs - typeUnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.10 Ensure off-loaded audit logs are labeled.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'UnixCIS v1.1.0 Oracle 11g OS L1
4.10 init.ora - 'Establish redundant physically separate locations for redo log files.'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
4.11 init.ora - 'Specify redo logging must be successful.'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 1
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backuppathUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - backupsizeUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin1UnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bin2UnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - bincompactUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - binsizeUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - cmdsUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - freespaceUnixDISA STIG AIX 7.x v2r5
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full - trailUnixDISA STIG AIX 7.x v2r5
AIX7-00-002131 - AIX must implement a remote syslog server that is documented using site-defined procedures.UnixDISA STIG AIX 7.x v2r5
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - logging hostAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r3
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - trap loggingAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r3
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.UnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.UnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.WindowsDISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure.WindowsDISA STIG Apache Server 2.4 Windows Server v2r2
Auditing and logging - serverArubaOSArubaOS Switch 16.x Hardening Guide v1.0.0
Big Sur - Off-Load Audit RecordsUnixNIST macOS Big Sur v1.4.0 - All Profiles
CASA-ND-001260 - The Cisco ASA must be configured to offload audit records onto a different system or media than the system being audited - logging hostCiscoDISA STIG Cisco ASA NDM v1r1
CASA-ND-001260 - The Cisco ASA must be configured to offload audit records onto a different system or media than the system being audited - logging trapCiscoDISA STIG Cisco ASA NDM v1r1
CISC-ND-001310 - The Cisco router must be configured to off-load log records onto a different system than the system being audited - trapCiscoDISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-001310 - The Cisco router must be configured to off-load log records onto a different system than the system being audited.CiscoDISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-001310 - The Cisco router must be configured to off-load log records onto a different system than the system being audited.CiscoDISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited - logging hostCiscoDISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited - logging hostCiscoDISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited - logging trapCiscoDISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited - logging trapCiscoDISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited.CiscoDISA STIG Cisco NX-OS Switch NDM v2r3
CISC-ND-001450 - The Cisco router must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.CiscoDISA STIG Cisco IOS Router NDM v2r4