Detections
Analytics

CCI|CCI-001851

Title

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Reference Item Details

Category: 2024

Audit Items

View all Reference Audit Items

NamePluginAudit Name
4.1.2.3 Ensure audit system is set to single when the disk is full.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.6 Ensure audit system action is defined for sending errorsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.8 Ensure audit logs are stored on a different system.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.9 Ensure audit logs on separate system are encrypted.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - directionUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - pathUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.11 Ensure off-load of audit logs - typeUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.12 Ensure action is taken when audisp-remote buffer is fullUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.13 Ensure off-loaded audit logs are labeled.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.UnixDISA STIG AIX 7.x v3r1
AIX7-00-002131 - AIX must implement a remote syslog server that is documented using site-defined procedures.UnixDISA STIG AIX 7.x v3r1
ALMA-09-052160 - AlmaLinux OS 9 audispd-plugins package must be installed.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052270 - AlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052380 - AlmaLinux OS 9 must take appropriate action when the internal event queue is full.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052490 - AlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052600 - AlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052710 - AlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052820 - AlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-052930 - AlmaLinux OS 9 must have the rsyslog package installed.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-053040 - AlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-053150 - The rsyslog service on AlmaLinux OS 9 must be active.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r2
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - logging hostAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r4
AMLS-NM-000400 - The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time - trap loggingAristaDISA STIG Arista MLS DCS-7000 Series NDM v1r4
ARST-ND-000850 - The Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.AristaDISA STIG Arista MLS EOS 4.2x NDM v2r1
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000730 - The Apache web server must be configured to integrate with an organizations security infrastructure.UnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.WindowsDISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server.WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure.WindowsDISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure.WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
Big Sur - Off-Load Audit RecordsUnixNIST macOS Big Sur v1.4.0 - All Profiles
CASA-ND-001410 - The Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.CiscoDISA STIG Cisco ASA NDM v2r2
Catalina - Off-Load Audit RecordsUnixNIST macOS Catalina v1.5.0 - All Profiles
CD12-00-011300 - PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1
CISC-ND-001310 - The Cisco router must be configured to off-load log records onto a different system than the system being audited.CiscoDISA STIG Cisco IOS-XR Router NDM v3r2
CISC-ND-001310 - The Cisco switch must be configured to off-load log records onto a different system than the system being audited.CiscoDISA STIG Cisco NX-OS Switch NDM v3r2
CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).CiscoDISA STIG Cisco IOS XE Router NDM v3r2
CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).CiscoDISA STIG Cisco IOS-XR Router NDM v3r2
CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the ISSO.CiscoDISA STIG Cisco IOS Router NDM v3r2
CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).CiscoDISA STIG Cisco IOS Switch NDM v3r2
CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).CiscoDISA STIG Cisco IOS XE Switch NDM v3r2
CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).CiscoDISA STIG Cisco NX-OS Switch NDM v3r2
CNTR-R2-000060 - Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.UnixDISA Rancher Government Solutions RKE2 STIG v2r3
DB2X-00-012600 - DB2 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.WindowsDISA STIG IBM DB2 v10.5 LUW v2r1 OS Windows
DB2X-00-012600 - DB2 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.UnixDISA STIG IBM DB2 v10.5 LUW v2r1 OS Linux
DKER-EE-001080 - The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
DKER-EE-003320 - All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).UnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r2
ESXI-06-400004 - The VMM must off-load audit records onto a different system or media than the system being audited by configuring remote logging.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5