Detections
Analytics

800-53|AU-5

Title

RESPONSE TO AUDIT PROCESSING FAILURES

Description

The information system:

Supplemental

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Reference Item Details

Related: AU-4,SI-12

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.3 Ensure audit logs are not automatically deletedUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.3 Ensure audit logs are not automatically deletedUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.2.2 Ensure audit logs are not automatically deletedUnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
4.1.2.2 Ensure audit logs are not automatically deletedUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'UnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'UnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'UnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'UnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'UnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
4.1.2.4 Ensure system notification is sent out when volume is 75% full - SA and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum via email when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.20 Ensure the auditing processing failures are handled.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.9 Enable Kernel Level Auditing, Check if 'minfree:20' is set in /etc/security/audit_control.UnixCIS Solaris 10 L1 v5.2
5.8 Enable kernel-level auditing, Check if 'minfree:20' is set in /etc/security/audit_control.UnixCIS Solaris 9 v1.3
8.1.1.2 Disable System on Audit Log Full - 'action_mail_acct is configured'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - action_mail_acct = rootUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = haltUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = emailUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.3 Keep All Auditing InformationUnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
AOSX-13-000310 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 11 v1r8
APPL-12-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 12 v1r8
APPL-13-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 13 v1r3
ARST-ND-000790 - The Arista network device must be configured to capture all DOD auditable events.AristaDISA STIG Arista MLS EOS 4.2x NDM v1r1
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r6 Middleware
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r6
Audit: Shut down system immediately if unable to log security auditsWindowsMSCT Windows Server 2012 R2 DC v1.0.0
Audit: Shut down system immediately if unable to log security auditsWindowsMSCT Windows Server 2012 R2 MS v1.0.0
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - All Profiles