Detections
Analytics

800-53|AU-6

Title

AUDIT REVIEW, ANALYSIS, AND REPORTING

Description

The organization:

Supplemental

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

Reference Item Details

Related: AC-17,AC-2,AC-3,AC-6,AT-3,AU-16,AU-7,CA-7,CM-10,CM-11,CM-5,IA-3,IA-5,IR-5,IR-6,MA-4,MP-4,PE-14,PE-16,PE-3,PE-6,RA-5,SC-18,SC-19,SC-7,SI-3,SI-4,SI-7

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.17 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.17 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.20 Ensure that the --profiling argument is set to falseUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.13 Ensure malware trends are reviewed at least weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated every 20 minutes or less on weekday 8a-5p'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekday 6p-7a'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekends'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'daily summaries are being prepared'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.13 Ensure centralized and remote logging is configuredUnixCIS Docker v1.7.0 L2 Docker - Linux
3.1.14 Ensure 'debug_print_parse' is disabledPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.15 Ensure 'debug_print_rewritten' is disabledPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.16 Ensure 'debug_print_parse' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.16 Ensure 'debug_print_plan' is disabledPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.17 Ensure 'debug_print_rewritten' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.18 Ensure 'debug_print_plan' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.21 Ensure 'log_hostname' is set correctlyPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.25 Ensure 'log_hostname' is set correctlyPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.31 Ensure 'log_parser_stats' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.32 Ensure 'log_planner_stats' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.33 Ensure 'log_executor_stats' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.34 Ensure 'log_statement_stats' is disabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.9 Review and Log Implied RulesCheckPointCIS Check Point Firewall L2 v1.1.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS Debian Family Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS Fedora 28 Family Linux Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS CentOS Linux 8 Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslogUnixCIS Debian Family Workstation L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS SUSE Linux Enterprise 15 Server L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS SUSE Linux Enterprise 12 v3.2.0 L1 Server
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
4.2.2.1 Ensure journald is configured to send logs to rsyslogUnixCIS SUSE Linux Enterprise 12 v3.2.0 L1 Workstation
4.2.2.5 Ensure journald is not configured to send logs to rsyslogUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.2.5 Ensure journald is not configured to send logs to rsyslogUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.2.5 Ensure journald is not configured to send logs to rsyslogUnixCIS CentOS Linux 8 Server L1 v2.0.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS