CSCv7|6.5

Title

Central Log Management

Description

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Maintenance, Monitoring and Analysis of Audit Logs

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
3.1 (L1) Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 7.0 v1.4.0 L1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
3.3 (L1) Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 7.0 v1.4.0 L1
3.3 Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Webserver
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Loadbalancer
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Proxy
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Loadbalancer
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Proxy
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.1.0 L2 Webserver
4.1 Ensure unauthorized API calls are monitored	amazon_aws	CIS Amazon Web Services Foundations v4.0.1 L2
4.1.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
4.2 (L1) Host must transmit system logs to a remote log collector	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Server L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Workstation L1 v1.0.0
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host	Unix	CIS Aliyun Linux 2 L1 v1.0.0
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - $InputTCPServerRun	Unix	CIS Aliyun Linux 2 L1 v1.0.0
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - $ModLoad	Unix	CIS Aliyun Linux 2 L1 v1.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Distribution Independent Linux Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
4.2.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS

Detections

Analytics

CSCv7|6.5

Title

Description

Reference Item Details

Audit Items