800-53|AU-9(2)

Title

AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

Description

The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.

Supplemental

This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-11,AU-4,AU-5

Category: AUDIT AND ACCOUNTABILITY

Parent Title: PROTECTION OF AUDIT INFORMATION

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.10.4 Ensure 'syslog hosts' is configured correctly	Cisco	CIS Cisco Firewall ASA 8 L1 v4.1.0
1.10.4 Ensure 'syslog hosts' is configured correctly	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
2.1.1 - Configuring syslog - local logging - '*.info;auth.none entry exists in /etc/syslog.conf'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - '/var/adm/authlog exists'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - '/var/adm/syslog exists'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.1 - Configuring syslog - local logging - 'auth.info entry exists in /etc/syslog.conf'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - '*.info;auth.none remote entry exists in /etc/syslog.conf'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.2 - Configuring syslog - remote logging - 'auth.info remote entry exists in /etc/syslog.conf'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.1.3 - Configuring syslog - remote messages	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.12 Configure centralized and remote logging	Unix	CIS Docker 1.12.0 v1.0.0 L2 Docker
2.12 Configure centralized and remote logging	Unix	CIS Docker 1.11.0 v1.0.0 L2 Docker
2.12 Configure centralized and remote logging	Unix	CIS Docker 1.13.0 v1.0.0 L2 Docker
2.12 Enable Secure Logging - 'syslog log-remote-address'	CheckPoint	TNS Check Point GAiA Best Practices
2.12 Ensure centralized and remote logging is configured	Unix	CIS Docker Community Edition v1.1.0 L2 Docker
2.12 Ensure centralized and remote logging is configured	Unix	CIS Docker v1.2.0 L2 Docker Linux
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
3.3 Configure remote logging for ESXi hosts	VMware	CIS VMware ESXi 5.5 v1.2.0 Level 1
3.3 Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 6.7 v1.1.0 Level 1
3.300 - The system must off-load audit records onto a different system or media from the system being audited.	Unix	Tenable Fedora Linux Best Practices v2.0.0
3.1000 - The system must send rsyslog output to a log aggregation server.	Unix	Tenable Fedora Linux Best Practices v2.0.0
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows 8.1 L1 v2.3.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Microsoft Windows 8.1 L1 Bitlocker v2.3.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
18.9.81.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.82.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
18.9.82.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0

Detections

Analytics