800-53|AU-9

Title

PROTECTION OF AUDIT INFORMATION

Description

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

Reference Item Details

Related: AC-3,AC-6,MP-2,MP-4,PE-2,PE-3,PE-6

Category: AUDIT AND ACCOUNTABILITY

Family: AUDIT AND ACCOUNTABILITY

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.11 Ensure separate partition exists for /var/log/auditUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.1.11 Ensure separate partition exists for /var/log/auditUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.1.13 Ensure separate partition exists for /var/log/auditUnixCIS Amazon Linux 2 STIG v1.0.0 L2
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.8 Verify that RBAC is enabledOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.19 Ensure that the healthz endpoint is protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.1 Ensure that controller manager healthz endpoints are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.4 Ensure 'application pool identity' is configured for all application poolsWindowsCIS IIS 10 v1.2.1 Level 1
1.4 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Managementmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.5 Ensure Guest Users Are Reviewed on a Regular Basismicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.5.7 Ensure that the --wal-dir argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.7 Ensure that the --wal-dir argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.8 Ensure that the --max-wals argument is set to 0UnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.8 Ensure that the --max-wals argument is set to 0UnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.10.4 Ensure 'syslog hosts' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.15 Ensure IAM Users Receive Permissions Only Through Groupsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.18 Ensure IAM instance roles are used for AWS resource access from instancesamazon_awsCIS Amazon Web Services Foundations L2 2.0.0
1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.23 Ensure That No Custom Subscription Administrator Roles Existmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locksmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
11.1 Ensure SELinux Is Enabled in Enforcing Mode - configUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - configUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - currentUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - currentUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker