CSCv6|6.2

Title

Validate audit log settings for each hardware device and the software installed on it.

Description

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Reference Item Details

Category: Maintenance, Monitoring, and Analysis of Audit Logs

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3 Ensure auditing is configured for the Docker daemonUnixCIS Docker v1.3.1 L1 Linux Host OS
1.1.3.2.2 Enable 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.2 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.3 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.8 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.9 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.11 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.4 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.7 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.8 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.9 Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.14 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.16 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.2.21 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.22 Ensure that the --audit-log-path argument is setUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.5 Ensure auditing is configured for the docker daemonUnixCIS Docker Community Edition v1.1.0 L1 Linux Host OS
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L1 v3.6.0
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L2 v3.6.0
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.4 L1 v2.0.0
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.4 L1 v2.0.0 Middleware
2.2 Ensure the logging level is set to 'info'UnixCIS Docker Community Edition v1.1.0 L1 Docker
2.3 Ensure the logging level is set to 'info' - daemon.jsonUnixCIS Docker v1.3.1 L1 Docker Linux
2.3 Ensure the logging level is set to 'info' - dockerdUnixCIS Docker v1.3.1 L1 Docker Linux
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 MS L1 v2.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 R2 MS L1 v2.5.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 DC L1 v2.2.0
18.9.48.1 Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 NG