800-53|AU-6

Title

AUDIT REVIEW, ANALYSIS, AND REPORTING

Description

The organization:

Supplemental

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

Reference Item Details

Related: AC-17,AC-2,AC-3,AC-6,AT-3,AU-16,AU-7,CA-7,CM-10,CM-11,CM-5,IA-3,IA-5,IR-5,IR-6,MA-4,MP-4,PE-14,PE-16,PE-3,PE-6,RA-5,SC-18,SC-19,SC-7,SI-3,SI-4,SI-7

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.9 Set 'aaa accounting exec'CiscoCIS Cisco IOS 16 L2 v1.1.2
1.1.10 Set 'aaa accounting network'CiscoCIS Cisco IOS 16 L2 v1.1.2
1.1.11 Set 'aaa accounting system'CiscoCIS Cisco IOS 16 L2 v1.1.2
1.2.17 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.17 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.20 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.6.4 Configure NTP AuthenticationCiscoCIS Cisco NX-OS L2 v1.0.0
1.7 Ensure logging data is monitoredJuniperCIS Juniper OS Benchmark v2.1.0 L1
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project - allServicesGCPCIS Google Cloud Platform v1.1.0 L1
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project - exemptedMembersGCPCIS Google Cloud Platform v1.1.0 L1
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.3 Ensure that retention policies on log buckets are configured using Bucket LockGCPCIS Google Cloud Platform v1.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v1.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11 v2.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 v2.1.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - dns policiesGCPCIS Google Cloud Platform v1.1.0 L1
2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - vpc networksGCPCIS Google Cloud Platform v1.1.0 L1
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated every 20 minutes or less on weekday 8a-5p'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekday 6p-7a'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekends'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'daily summaries are being prepared'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.13 Ensure centralized and remote logging is configuredUnixCIS Docker v1.3.1 L2 Docker Linux
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protectionsCiscoCIS Cisco NX-OS L2 v1.0.0
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protectionsCiscoCIS Cisco NX-OS L1 v1.0.0
3.2 Ensure CloudTrail log file validation is enabledamazon_awsCIS Amazon Web Services Foundations L2 1.4.0
3.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event captureUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L2 Worker
3.3 Ensure remote logging is configured for ESXi hostsVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
3.3 Ensure remote logging is configured for ESXi hostsVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'log group is configured'amazon_awsCIS Amazon Web Services Foundations L1 1.4.0
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'LogWatch Log Delivery'amazon_awsCIS Amazon Web Services Foundations L1 1.4.0
3.7 Ensure proxies pass source IP informationUnixCIS NGINX Benchmark v1.0.0 L1 Loadbalancer
3.7 Ensure proxies pass source IP informationUnixCIS NGINX Benchmark v1.0.0 L1 Proxy
3.7 Ensure proxies pass source IP information - X-Real-IPUnixCIS NGINX Benchmark v1.0.0 L1 Proxy
3.7 Ensure proxies pass source IP information - X-Real-IPUnixCIS NGINX Benchmark v1.0.0 L1 Loadbalancer
3.7.1.2 Configuring syslog - remote logging - *.info;auth.none in /etc/syslog.confUnixCIS IBM AIX 7.1 L2 v2.0.0
3.7.1.2 Configuring syslog - remote logging - auth.info in /etc/syslog.confUnixCIS IBM AIX 7.1 L2 v2.0.0
3.7.1.3 Configuring syslog - remote messagesUnixCIS IBM AIX 7.1 L2 v2.0.0
3.8 Ensure Web Tier Elastic Load Balancer has application layer Health Check Configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
3.9 Ensure App Tier Elastic Load Balancer has application layer Health Check Configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0