CSCv7|6.5

Title

Central Log Management

Description

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Maintenance, Monitoring and Analysis of Audit Logs

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
2.2.35 Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.36 Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
3.1 Ensure a centralized location is configured to collect ESXi host core dumps	Unix	CIS VMware ESXi 7.0 v1.3.0 Level 1 Bare Metal
3.3 Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 7.0 v1.3.0 Level 1
3.3 Ensure remote logging is configured for ESXi hosts	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'CloudWatch Log Delivery'	amazon_aws	CIS Amazon Web Services Foundations L1 2.0.0
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'log group is configured'	amazon_aws	CIS Amazon Web Services Foundations L1 2.0.0
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Proxy
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Loadbalancer
3.5 Ensure error logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Webserver
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Webserver
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Loadbalancer
3.6 Ensure access logs are sent to a remote syslog server	Unix	CIS NGINX Benchmark v2.0.1 L2 Proxy
4.1 Ensure unauthorized API calls are monitored	amazon_aws	CIS Amazon Web Services Foundations L2 2.0.0
4.1.2.1 Ensure journald is configured to send logs to rsyslog	Unix	CIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS AlmaLinux OS 9 Workstation L1 v1.0.0
4.2.1.3 Ensure journald is configured to send logs to rsyslog	Unix	CIS Debian Family Server L1 v1.0.0
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.3 Ensure 'Audit Security State Change' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
20.13 Ensure 'Audit records must be backed up to a different system or media than the system being audited'	Windows	CIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.38 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly'	Windows	CIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0

Detections

Analytics

CSCv7|6.5

Title

Description

Reference Item Details

Audit Items