800-53|AU-5a.

Title

RESPONSE TO AUDIT PROCESSING FAILURES

Description

Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
4.1.2.10 Ensure the auditing processing failures are handled - System Administrator [SA] and Information System Security Officer [ISSO] at a minimum in the event of an audit processing failure.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.4 Ensure audit system is set to single when the disk is full.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
AIX7-00-002008 - AIX must be configured to generate an audit record when 75% of the audit file system is full.UnixDISA STIG AIX 7.x v2r6
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-W1-000160 - The Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.WindowsDISA STIG Apache Server 2.4 Windows Server v2r2
Big Sur - Alert Audit Processing FailureUnixNIST macOS Big Sur v1.4.0 - All Profiles
Catalina - Alert Audit Processing FailureUnixNIST macOS Catalina v1.5.0 - All Profiles
DKER-EE-001590 - Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.UnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
F5BI-DM-000067 - The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure - at a minimum in the event of an audit processing failure.F5DISA F5 BIG-IP Device Management 11.x STIG v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_error_action'UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_error_action'UnixDISA STIG for Oracle Linux 5 v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_full_action'UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN002719 - The audit system must alert the SA in the event of an audit processing failure - '/etc/audit/auditd.conf disk_full_action'UnixDISA STIG for Oracle Linux 5 v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 X86 v2r2
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 SPARC v2r2
IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.WindowsDISA IIS 10.0 Site v2r5
IIST-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.WindowsDISA IIS 10.0 Server v2r5
IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.WindowsDISA IIS 8.5 Site v2r5
IISW-SV-000103 - Both the log file and Event Tracing for Windows (ETW) for the IIS 8.5 web server must be enabled.WindowsDISA IIS 8.5 Server v2r3
Monterey - Alert Audit Processing FailureUnixNIST macOS Monterey v1.0.0 - All Profiles
OL6-00-000313 - The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.UnixDISA STIG Oracle Linux 6 v2r6
OL08-00-030020 - The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA Oracle Linux 8 STIG v1r2
OL08-00-030030 - The OL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA Oracle Linux 8 STIG v1r2
PHTN-67-000013 - The Photon operating system audit log must log space limit problems to syslog.UnixDISA STIG VMware vSphere 6.7 Photon OS v1r3
RHEL-06-000313 - The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.UnixDISA Red Hat Enterprise Linux 6 STIG v2r2
RHEL-08-030020 - The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA Red Hat Enterprise Linux 8 STIG v1r7
RHEL-08-030030 - The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA Red Hat Enterprise Linux 8 STIG v1r7
SLES-12-020040 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.UnixDISA SLES 12 STIG v2r7
SLES-12-020050 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure - monitored e-mail accountUnixDISA SLES 12 STIG v2r7
SLES-12-020050 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure - postmasterUnixDISA SLES 12 STIG v2r7
SLES-15-030570 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.UnixDISA SLES 15 STIG v1r6
SLES-15-030580 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure - monitored e-mail accountUnixDISA SLES 15 STIG v1r6
SLES-15-030580 - The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure - postmasterUnixDISA SLES 15 STIG v1r6
SOL-11.1-010390 - The operating system must alert designated organizational officials in the event of an audit processing failure.UnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-010390 - The operating system must alert designated organizational officials in the event of an audit processing failure.UnixDISA STIG Solaris 11 X86 v2r6
TCAT-AS-001731 - The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.UnixDISA STIG Apache Tomcat Application Server 9 v2r4 Middleware
TCAT-AS-001731 - The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.UnixDISA STIG Apache Tomcat Application Server 9 v2r4
UBTU-16-020040 - The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030700 - The Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010300 - The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure - at a minimum in the event of an audit processing failureUnixDISA STIG Ubuntu 18.04 LTS v2r8
UBTU-20-010117 - The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.UnixDISA STIG Ubuntu 20.04 LTS v1r5
VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.VMwareDISA STIG VMware vSphere 6.7 vCenter v1r2
VCUI-67-000027 - vSphere UI log files must be moved to a permanent repository in accordance with site policy - accessUnixDISA STIG VMware vSphere 6.7 UI Tomcat v1r2
VCUI-67-000027 - vSphere UI log files must be moved to a permanent repository in accordance with site policy - runtimeUnixDISA STIG VMware vSphere 6.7 UI Tomcat v1r2
VCWN-06-000008 - The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.VMwareDISA STIG VMware vSphere vCenter 6.x v1r4
VCWN-65-000008 - The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.VMwareDISA STIG VMware vSphere vCenter 6.5 v2r2
WBLC-02-000083 - Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur - Module-HealthStateUnixOracle WebLogic Server 12c Linux v2r1 Middleware
WBLC-02-000083 - Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur - Module-HealthStateUnixOracle WebLogic Server 12c Linux v2r1