800-53|AU-5

Title

RESPONSE TO AUDIT PROCESSING FAILURES

Description

The information system:

Supplemental

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Reference Item Details

Related: AU-4,SI-12

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.75 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.75 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.10 Audit: Shut down system immediately if unable to log security auditsWindowsCIS Windows 2008 Enterprise v1.2.0
1.2.10 Audit: Shut down system immediately if unable to log security auditsWindowsCIS Windows 2008 SSLF v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 L1 v2.3.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 DC L1 v2.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 MS L1 v2.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 L1 Bitlocker v2.3.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 MS L1 v2.4.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 MS L1 v2.5.0
3.010 - The system must shut down upon audit processing failure, unless availability is an overriding concern.UnixTenable Fedora Linux Best Practices v2.0.0
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
3.0210 - The system must take appropriate action when the audisp-remote buffer is full.UnixTenable Fedora Linux Best Practices v2.0.0
3.320 - The audit system must take appropriate action when the audit storage volume is full - disk_full_actionUnixTenable Fedora Linux Best Practices v2.0.0
3.321 - The audit system must take appropriate action when there is an error sending audit records to a remote system.UnixTenable Fedora Linux Best Practices v2.0.0
3.330 - The system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75%.UnixTenable Fedora Linux Best Practices v2.0.0
3.340 - The system must immediately notify the SA and ISSO via email when the threshold for the max audit storage capacity is reached.UnixTenable Fedora Linux Best Practices v2.0.0
3.350 - The system must immediately notify the SA and ISSO when the threshold for the repo max audit record storage capacity is reachedUnixTenable Fedora Linux Best Practices v2.0.0
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'alarm exists'amazon_awsCIS Amazon Web Services Foundations L1 1.3.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Distribution Independent Linux Workstation L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Oracle Linux 6 Server L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixHuawei EulerOS 2 Server L2 v1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Ubuntu Linux 16.04 LTS Server L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Red Hat 6 Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Ubuntu Linux 16.04 LTS Workstation L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS CentOS 6 Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS CentOS 6 Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Red Hat 6 Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Distribution Independent Linux Server L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Oracle Linux 6 Workstation L2 v1.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixHuawei EulerOS 2 Workstation L2 v1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct is configured'UnixCIS Amazon Linux v2.0.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.0.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.0.0