Detections
Analytics

CSCv6|6.2

Title

Validate audit log settings for each hardware device and the software installed on it.

Description

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Reference Item Details

Category: Maintenance, Monitoring, and Analysis of Audit Logs

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.2.2 Enable 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.2 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.3 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.8 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.9 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.11 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.4 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.7 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.8 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.9 Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.14 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.15 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.16 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5 Ensure auditing is configured for the docker daemonUnixCIS Docker Community Edition v1.1.0 L1 Linux Host OS
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L2 v3.6.0
2.2 Ensure the Log Config Module Is EnabledUnixCIS Apache HTTP Server 2.2 L1 v3.6.0
2.2 Ensure the logging level is set to 'info'UnixCIS Docker Community Edition v1.1.0 L1 Docker
2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
2.2.14 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'OracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
3.1.2 Ensure the log destinations are set correctlyPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.2 Ensure the log destinations are set correctlyPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.2 Ensure the log destinations are set correctlyPostgreSQLDBCIS PostgreSQL 11 DB v1.0.0
3.1.2 Ensure the log destinations are set correctlyPostgreSQLDBCIS PostgreSQL 10 DB v1.0.0
3.1.3 Ensure the logging collector is enabledPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.3 Ensure the logging collector is enabledPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.3 Ensure the logging collector is enabledPostgreSQLDBCIS PostgreSQL 11 DB v1.0.0
3.1.3 Ensure the logging collector is enabledPostgreSQLDBCIS PostgreSQL 10 DB v1.0.0
3.1.4 Ensure the log file destination directory is set correctlyPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.4 Ensure the log file destination directory is set correctlyPostgreSQLDBCIS PostgreSQL 11 DB v1.0.0
3.1.4 Ensure the log file destination directory is set correctlyPostgreSQLDBCIS PostgreSQL 10 DB v1.0.0
3.1.4 Ensure the log file destination directory is set correctlyPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.5 Ensure the filename pattern for log files is set correctlyPostgreSQLDBCIS PostgreSQL 11 DB v1.0.0
3.1.5 Ensure the filename pattern for log files is set correctlyPostgreSQLDBCIS PostgreSQL 9.6 DB v1.0.0
3.1.5 Ensure the filename pattern for log files is set correctlyPostgreSQLDBCIS PostgreSQL 9.5 DB v1.1.0
3.1.5 Ensure the filename pattern for log files is set correctlyPostgreSQLDBCIS PostgreSQL 10 DB v1.0.0
3.1.10 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
3.1.10 Ensure that the --audit-log-path argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker