Capacity
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
27
Rule
Severity: Low
Ensure /var/log/audit Located On Separate Partition
17
Rule
Severity: Low
Extend Audit Backlog Limit for the Audit Daemon
10
Rule
Severity: Medium
Configure a Sufficiently Large Partition for Audit Logs
4
Rule
Severity: Medium
The Apache web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the Apache web server.
2
Rule
Severity: Medium
The application server must allocate log record storage capacity in accordance with organization-defined log record storage requirements.
2
Rule
Severity: Medium
The Arista network device must be configured to capture all DOD auditable events.
1
Rule
Severity: Medium
The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP).
1
Rule
Severity: Medium
The FortiGate device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
The HP FlexFabric Switch must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
The storage system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
1
Rule
Severity: Medium
The HYCU server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
The DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The WebSphere Liberty Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
1
Rule
Severity: Medium
DB2 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
1
Rule
Severity: Medium
The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements.
2
Rule
Severity: Medium
The Juniper router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues.
2
Rule
Severity: Medium
The mainframe product must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
Azure SQL Database must be able to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
3
Rule
Severity: Medium
SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
Nutanix AOS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
The node that runs Prisma Cloud Compute containers must have sufficient disk space to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.
2
Rule
Severity: Medium
The Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.
4
Rule
Severity: Medium
The Tanium application must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
The macOS system must allocate audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.
3
Rule
Severity: Low
The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
3
Rule
Severity: Low
The macOS system must configure audit retention to seven days.
3
Rule
Severity: Low
The macOS system must configure install.log retention to 365.
1
Rule
Severity: Low
The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Low
The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
4
Rule
Severity: Medium
PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
6
Rule
Severity: Medium
The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
6
Rule
Severity: Medium
The Cisco switch must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The Cisco ISE must limit audit record storage capacity for all locally stored logs.
2
Rule
Severity: Medium
The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Low
The operating system must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
SSMC must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
The HPE 3PAR operating system must be configured to allocate audit record storage capacity to store at least one week of audit records, even though all audit records are immediately sent to a centralized audit record storage system (SIEM).
2
Rule
Severity: Medium
AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
4
Rule
Severity: Medium
IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
2
Rule
Severity: Medium
IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
2
Rule
Severity: Medium
The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
MarkLogic Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
MariaDB must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
3
Rule
Severity: Medium
MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements.
2
Rule
Severity: Medium
The IIS 10.0 website must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 website.
2
Rule
Severity: Medium
The IIS 10.0 web server must use a logging mechanism configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 10.0 web server.
6
Rule
Severity: Medium
The Application event log size must be configured to 32768 KB or greater.
4
Rule
Severity: Medium
The Security event log size must be configured to 1024000 KB or greater.
6
Rule
Severity: Medium
The System event log size must be configured to 32768 KB or greater.
2
Rule
Severity: Medium
The Security event log size must be configured to 196608 KB or greater.
2
Rule
Severity: Medium
Windows Server 2019 Application event log size must be configured to 32768 KB or greater.
2
Rule
Severity: Medium
Windows Server 2019 Security event log size must be configured to 196608 KB or greater.
2
Rule
Severity: Medium
Windows Server 2019 System event log size must be configured to 32768 KB or greater.
2
Rule
Severity: Medium
Windows Server 2022 Application event log size must be configured to 32768 KB or greater.
2
Rule
Severity: Medium
Windows Server 2022 Security event log size must be configured to 196608 KB or greater.
2
Rule
Severity: Medium
Windows Server 2022 System event log size must be configured to 32768 KB or greater.
2
Rule
Severity: Low
The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data.
2
Rule
Severity: Medium
OL 8 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
Redis Enterprise DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
All audit records must generate the event results within OpenShift.
2
Rule
Severity: Low
Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Low
RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
2
Rule
Severity: Medium
RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Low
RHEL 9 must use a separate file system for the system audit data path.
2
Rule
Severity: Medium
The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
2
Rule
Severity: Low
RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
2
Rule
Severity: Medium
The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
4
Rule
Severity: Medium
The operating system must allocate audit record storage capacity.
4
Rule
Severity: High
The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
2
Rule
Severity: Medium
The VMM must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
1
Rule
Severity: Medium
The ESXi host must enable a persistent log location for all locally stored logs.
1
Rule
Severity: Medium
Performance Charts must properly configure log sizes and rotation.
1
Rule
Severity: Medium
ESX Agent Manager application files must be verified for their integrity.
1
Rule
Severity: Medium
Lookup Service must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
3
Rule
Severity: Medium
The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.
3
Rule
Severity: Medium
The ESXi host must configure a persistent log location for all locally stored logs.
1
Rule
Severity: Medium
The Photon operating system must configure auditd to keep five rotated log files.
1
Rule
Severity: Medium
The Photon operating system must configure auditd to keep logging in the event max log file size is reached.
1
Rule
Severity: Medium
The Security Token Service application files must be verified for their integrity.
1
Rule
Severity: Medium
vSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
3
Rule
Severity: Low
The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
2
Rule
Severity: Medium
The web server must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
1
Rule
Severity: Medium
Dragos Platform must allocate audit record storage retention length.
1
Rule
Severity: Low
The F5 BIG-IP appliance must manage local audit storage capacity in accordance with organization-defined audit record storage requirements.
1
Rule
Severity: Medium
SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
1
Rule
Severity: Medium
TOSS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
1
Rule
Severity: High
The NSX Manager must be configured to send logs to a central log server.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules