Capacity
CCI-001851
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.
12
Rule
Severity: Medium
Ensure the default plugins for the audit dispatcher are Installed
29
Rule
Severity: Medium
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
28
Rule
Severity: Medium
Enable rsyslog Service
29
Rule
Severity: Medium
Ensure Rsyslog Authenticates Off-Loaded Audit Records
58
Rule
Severity: Medium
Ensure Rsyslog Encrypts Off-Loaded Audit Records
29
Rule
Severity: Medium
Enable syslog-ng Service
27
Rule
Severity: Medium
Ensure Logs Sent To Remote Host
16
Rule
Severity: Medium
Configure audispd Plugin To Send Logs To Remote Server
14
Rule
Severity: Medium
Configure audispd's Plugin disk_full_action When Disk Is Full
14
Rule
Severity: Medium
Encrypt Audit Records Sent With audispd Plugin
13
Rule
Severity: Medium
Configure audispd's Plugin network_failure_action On Network Failure
4
Rule
Severity: Medium
Configure auditd to use audispd's remote logging daemon
4
Rule
Severity: Medium
Ensure the audispd's remote logging daemon direction is correct
4
Rule
Severity: Medium
Ensure the audispd's remote logging daemon executable is correct
4
Rule
Severity: Medium
Ensure the audispd's remote logging daemon type is correct
14
Rule
Severity: Medium
Set type of computer node name logging in audit logs
2
Rule
Severity: Medium
Offload audit Logs to External Media
1
Rule
Severity: Low
The A10 Networks ADC must, at a minimum, off-load audit log records onto a centralized log server.
1
Rule
Severity: Medium
The A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
AAA Services must be configured to send audit records to a centralized audit server.
1
Rule
Severity: Medium
Kona Site Defender must off-load audit records onto a centralized log server.
1
Rule
Severity: Low
Kona Site Defender must off-load audit records onto a centralized log server in real time.
4
Rule
Severity: Medium
The Apache web server must not impede the ability to write specified log record content to an audit log server.
2
Rule
Severity: Medium
The Apache web server must be configurable to integrate with an organizations security infrastructure.
2
Rule
Severity: Medium
The ALG must off-load audit records onto a centralized log server.
2
Rule
Severity: Medium
The ALG must off-load audit records onto a centralized log server in real time.
2
Rule
Severity: Medium
The ALG that is part of a CDS must have the capability to implement journaling.
1
Rule
Severity: Medium
The Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time.
2
Rule
Severity: Medium
The application server must off-load log records onto a different system or media from the system being logged.
2
Rule
Severity: Medium
The application server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.
2
Rule
Severity: High
The Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
2
Rule
Severity: Medium
The application must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The application must be configured to write application logs to a centralized log repository.
1
Rule
Severity: Medium
The BlackBerry UEM server must be configured to transfer BlackBerry UEM server logs to another server for storage, analysis, and reporting.
Note: BlackBerry UEM server logs include logs of MDM events and logs transferred to the BlackBerry UEM server by MDM agents of managed devices.
1
Rule
Severity: Low
The CA API Gateway must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The CA API Gateway must off-load audit records onto a centralized log server.
1
Rule
Severity: Medium
The CA API Gateway must off-load audit records onto a centralized log server in real time.
2
Rule
Severity: Medium
The Central Log Server must be configured to off-load log records onto a different system or media than the system being audited.
2
Rule
Severity: Low
The Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.
1
Rule
Severity: Medium
The DBN-6300 must off-load log records to a centralized log server.
1
Rule
Severity: Medium
The DBN-6300 must off-load log records to a centralized log server in real time.
1
Rule
Severity: Medium
The DBN-6300 must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
1
Rule
Severity: Medium
All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).
2
Rule
Severity: Medium
The firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries.
1
Rule
Severity: Medium
The FortiGate device must off-load audit records on to a different system or media than the system being audited.
1
Rule
Severity: Medium
The FortiGate firewall must send traffic log entries to a central audit server for management and configuration of the traffic log entries.
1
Rule
Severity: Medium
CounterACT must off-load audit records onto a centralized log server.
1
Rule
Severity: Medium
CounterACT must off-load audit records onto a centralized log server in real time.
1
Rule
Severity: Medium
CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).
2
Rule
Severity: Low
The Forescout must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.
2
Rule
Severity: Medium
Forescout must off-load log records onto a different system. This is required for compliance with C2C Step 1.
1
Rule
Severity: Medium
The HP FlexFabric Switch must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The HYCU server must be configured to conduct backups of system-level information when changes occur and to offload audit records onto a different system or media.
1
Rule
Severity: Medium
The DataPower Gateway must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The DataPower Gateway must off-load audit records onto a centralized log server.
1
Rule
Severity: Low
The DataPower Gateway must off-load audit records onto a centralized log server in real time.
1
Rule
Severity: Medium
The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.
1
Rule
Severity: Medium
The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.
2
Rule
Severity: Medium
The WebSphere Liberty Server must be configured to offload logs to a centralized system.
1
Rule
Severity: Medium
DB2 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
1
Rule
Severity: Medium
The MaaS360 MDM server must be configured to transfer MaaS360 MDM server logs to another server for storage, analysis, and reporting.
Note: MaaS360 MDM server logs include logs of MDM events and logs transferred to the MaaS360 MDM server by MDM agents of managed devices.
1
Rule
Severity: Medium
The MQ Appliance network device must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
CA VM:Secure product audit records must offload audit records to a different system or media.
1
Rule
Severity: Medium
CA VM:Secure product audit records must be offloaded on a weekly basis.
2
Rule
Severity: Medium
The IDPS must off-load log records to a centralized log server.
2
Rule
Severity: Medium
The IDPS must off-load log records to a centralized log server in real-time.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must be configured to transfer Ivanti MobileIron Core server logs to another server for storage, analysis, and reporting. Note: Ivanti MobileIron Core server logs include logs of UEM events and logs transferred to the Ivanti MobileIron Core server by UEM agents of managed devices.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
1
Rule
Severity: Low
MobileIron Sentry must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Low
The Sentry must offload audit records onto a centralized log server.
2
Rule
Severity: Low
The Sentry must offload audit records onto a centralized log server in real time.
2
Rule
Severity: Medium
The Jamf Pro EMM server must be configured to transfer Jamf Pro EMM server logs to another server for storage, analysis, and reporting.
Note: Jamf Pro EMM server logs include logs of MDM events and logs transferred to the Jamf Pro EMM server by MDM agents of managed devices.
2
Rule
Severity: Medium
The JBoss server must be configured to utilize syslog logging.
2
Rule
Severity: Medium
JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.
2
Rule
Severity: Medium
The Juniper router must be configured to off-load log records onto a different system than the system being audited.
2
Rule
Severity: High
The Juniper router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the Information System Security Officers (ISSO).
2
Rule
Severity: Medium
The Mainframe Product must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The MobileIron Core v10 server must be configured to transfer MobileIron Core v10 server logs to another server for storage, analysis, and reporting. Note: MobileIron Core v10 server logs include logs of MDM events and logs transferred to the MobileIron Core v10 server by MDM agents of managed devices.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enable audit logging.
2
Rule
Severity: Medium
Azure SQL Database must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
1
Rule
Severity: Medium
SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
2
Rule
Severity: High
ONTAP must be configured to send audit log data to a central log server.
2
Rule
Severity: Medium
The network device must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: High
The network device must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
Nutanix AOS must offload log records onto a syslog server.
1
Rule
Severity: Medium
Nutanix AOS must offload audit records to a syslog server.
1
Rule
Severity: Medium
OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
1
Rule
Severity: Medium
OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
1
Rule
Severity: Medium
Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.
2
Rule
Severity: Medium
Prisma Cloud Compute must be configured to send events to the hosts' syslog.
2
Rule
Severity: Medium
The Riverbed NetProfiler must be configured to use redundant Syslog servers that are configured on a different system than the NetProfiler appliance.
2
Rule
Severity: Medium
Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.
1
Rule
Severity: Medium
Innoslate must off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The Samsung SDS EMM must be configured to transfer Samsung SDS EMM logs to another server for storage, analysis, and reporting.
Note: Samsung SDS EMM logs include logs of MDM events and logs transferred to the Samsung SDS EMM by MDM agents of managed devices.
1
Rule
Severity: Medium
Symantec ProxySG must use a centralized log server.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to send the access logs to the centralized log server continuously.
1
Rule
Severity: Medium
A Tanium connector must be configured to send log data to an external audit log reduction-capable system and provide alerts.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to support centralized management and configuration of the audit log.
4
Rule
Severity: Medium
The application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly.
4
Rule
Severity: Medium
The Tanium application must offload audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
A Tanium connector must be configured to send log data to an external audit log reduction capable system.
1
Rule
Severity: Medium
The TPS and SMS must off-load log records to a centralized log server.
2
Rule
Severity: Medium
The Tanium operating system (TanOS) must offload audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The UEM Agent must queue alerts if the trusted channel is not available.
2
Rule
Severity: Medium
The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
1
Rule
Severity: High
The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.
2
Rule
Severity: Medium
The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.
2
Rule
Severity: Medium
The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
1
Rule
Severity: Medium
The NSX-T Manager must be configured to send logs to a central log server.
1
Rule
Severity: Medium
The Horizon Connection Server must offload events to a central log server in real time.
1
Rule
Severity: Medium
The Workspace ONE UEM server must be configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting.
Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.
2
Rule
Severity: Medium
The VPN Gateway must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The Apache web server must be configured to integrate with an organizations security infrastructure.
1
Rule
Severity: Low
The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.
1
Rule
Severity: Low
The Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems.
3
Rule
Severity: Low
The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
2
Rule
Severity: Low
The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.
2
Rule
Severity: Medium
The Cisco ASA must be configured to off-load log records to a centralized log server.
3
Rule
Severity: Medium
PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
1
Rule
Severity: Medium
The Cisco ASA must be configured to offload audit records onto a different system or media than the system being audited.
2
Rule
Severity: High
The Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.
2
Rule
Severity: High
The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the ISSO.
6
Rule
Severity: High
The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
4
Rule
Severity: High
The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
2
Rule
Severity: Medium
The Cisco router must be configured to off-load log records onto a different system than the system being audited.
2
Rule
Severity: Medium
The Cisco ISE must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.
1
Rule
Severity: Medium
The Cisco ISE must off-load log records onto a different system. This is required for compliance with C2C Step 1.
2
Rule
Severity: Medium
The Cisco switch must be configured to off-load log records onto a different system than the system being audited.
2
Rule
Severity: Medium
The Cisco ISE must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
2
Rule
Severity: Medium
Audit records must be stored at a secondary location.
2
Rule
Severity: Medium
The DBMS must off-load audit data to a separate log management facility; this shall be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
The HPE Nimble must configure a syslog server onto a different system or media than the system being audited.
2
Rule
Severity: Low
The operating system must offload audit records onto a different system or media from the system being audited.
2
Rule
Severity: Medium
The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.
2
Rule
Severity: Medium
SSMC web server must generate information to be used by external applications or entities to monitor and control remote access.
2
Rule
Severity: Medium
SSMC web server must not impede the ability to write specified log record content to an audit log server.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to offload audit records onto a different system or media from the system being audited.
2
Rule
Severity: Medium
AIX must implement a remote syslog server that is documented using site-defined procedures.
2
Rule
Severity: Medium
AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.
4
Rule
Severity: Medium
IBM z/OS system administrators must develop an automated process to collect and retain SMF data.
6
Rule
Severity: Medium
IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
2
Rule
Severity: Medium
IBM z/OS System Administrators must develop an automated process to collect and retain SMF data.
2
Rule
Severity: Medium
The ICS must be configured to send user traffic log data to redundant central log server.
2
Rule
Severity: High
The ICS must be configured to send admin log data to a redundant central log server.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to offload audit records onto a different system or media than the system being audited.
2
Rule
Severity: Low
MarkLogic Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
2
Rule
Severity: Medium
MariaDB must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.
2
Rule
Severity: Medium
The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
Audit records must be backed up to a different system or media than the system being audited.
2
Rule
Severity: Medium
Windows Server 2016 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
2
Rule
Severity: Medium
Windows Server 2019 audit records must be backed up to a different system or media than the system being audited.
2
Rule
Severity: Medium
Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
2
Rule
Severity: Medium
Windows Server 2022 audit records must be backed up to a different system or media than the system being audited.
2
Rule
Severity: Medium
Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
2
Rule
Severity: Medium
Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.
2
Rule
Severity: Medium
The Oracle Linux operating system must take appropriate action when the remote logging buffer is full.
2
Rule
Severity: Medium
The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.
2
Rule
Severity: Medium
The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.
2
Rule
Severity: Medium
The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.
2
Rule
Severity: Medium
OL 8 must label all offloaded audit logs before sending them to the central log server.
2
Rule
Severity: Medium
The OL 8 audit records must be offloaded onto a different system or storage media from the system being audited.
2
Rule
Severity: Medium
OL 8 must take appropriate action when the internal event queue is full.
2
Rule
Severity: Medium
OL 8 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited.
2
Rule
Severity: Medium
OL 8 must authenticate the remote logging server for offloading audit logs.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
4
Rule
Severity: Medium
The Palo Alto Networks security platform must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Low
The Palo Alto Networks security platform must, at a minimum, off-load threat and traffic log records onto a centralized log server in real time.
2
Rule
Severity: Low
The Palo Alto Networks security platform must off-load log records to a centralized log server.
2
Rule
Severity: Low
The Palo Alto Networks security platform must off-load log records to a centralized log server in real-time.
2
Rule
Severity: Medium
Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.
2
Rule
Severity: Medium
Redis Enterprise DBMS must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.
2
Rule
Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.
2
Rule
Severity: Medium
RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
2
Rule
Severity: Medium
The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.
2
Rule
Severity: Medium
RHEL 8 must take appropriate action when the internal event queue is full.
2
Rule
Severity: Medium
RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
2
Rule
Severity: Medium
RHEL 8 must authenticate the remote logging server for off-loading audit logs.
4
Rule
Severity: Medium
The audit-audispd-plugins must be installed on the SUSE operating system.
4
Rule
Severity: Low
The SUSE operating system audit event multiplexor must be configured to use Kerberos.
4
Rule
Severity: Low
Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
2
Rule
Severity: Medium
The audit system must take appropriate action when the network cannot be used to off-load audit records.
4
Rule
Severity: Medium
Audispd must take appropriate action when the SUSE operating system audit storage is full.
4
Rule
Severity: Medium
The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
2
Rule
Severity: Medium
RHEL 9 must have the rsyslog package installed.
2
Rule
Severity: Medium
RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
2
Rule
Severity: Medium
RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
2
Rule
Severity: Medium
RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
2
Rule
Severity: Medium
RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
2
Rule
Severity: Medium
RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
2
Rule
Severity: Medium
RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
2
Rule
Severity: Medium
RHEL 9 must label all offloaded audit logs before sending them to the central log server.
2
Rule
Severity: Medium
RHEL 9 must take appropriate action when the internal event queue is full.
2
Rule
Severity: Medium
RHEL 9 audispd-plugins package must be installed.
2
Rule
Severity: Medium
The SUSE operating system must off-load audit records onto a different system or media from the system being audited.
2
Rule
Severity: Medium
Splunk Enterprise must be configured to offload log records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The VMM must off-load audit records onto a different system or media than the system being audited.
2
Rule
Severity: Medium
The VMM must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
1
Rule
Severity: Medium
Remote logging for ESXi hosts must be configured.
1
Rule
Severity: Medium
The rsyslog must be configured to monitor VAMI logs.
1
Rule
Severity: Medium
Rsyslog must be configured to monitor and ship Performance Charts log files.
1
Rule
Severity: Medium
Rsyslog must be configured to monitor and ship ESX Agent Manager log files.
1
Rule
Severity: Medium
Lookup Service log files must be offloaded to a central log server in real time.
2
Rule
Severity: Medium
The ESXi host must off-load logs via syslog.
3
Rule
Severity: Medium
The ESXi host must off-load audit records via syslog.
4
Rule
Severity: Medium
The vCenter Server must be configured to send logs to a central log server.
4
Rule
Severity: Medium
The vCenter server must be configured to send events to a central log server.
1
Rule
Severity: Medium
"Rsyslog" must be configured to monitor VMware Postgres logs.
1
Rule
Severity: Medium
Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.
1
Rule
Severity: Medium
Envoy log files must be shipped via syslog to a central log server.
3
Rule
Severity: Medium
The vCenter Rhttpproxy service log files must be sent to a central log server.
3
Rule
Severity: Medium
The vCenter Envoy service log files must be sent to a central log server.
1
Rule
Severity: Medium
Security Token Service log data and records must be backed up onto a different system or media.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must offload log records onto a different system or media from the system being logged.
3
Rule
Severity: Medium
The vCenter Lookup service must offload log records onto a different system or media from the system being logged.
1
Rule
Severity: Medium
vSphere UI log files must be moved to a permanent repository in accordance with site policy.
3
Rule
Severity: Medium
The vCenter Perfcharts service must offload log records onto a different system or media from the system being logged.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must off-load audit data to a separate log management facility.
3
Rule
Severity: Medium
The vCenter STS service must offload log records onto a different system or media from the system being logged.
3
Rule
Severity: Medium
The vCenter UI service must offload log records onto a different system or media from the system being logged.
3
Rule
Severity: Medium
The vCenter VAMI service must off-load log records onto a different system or media from the system being logged.
2
Rule
Severity: Medium
The web server must not impede the ability to write specified log record content to an audit log server.
2
Rule
Severity: Medium
The web server must be configurable to integrate with an organizations security infrastructure.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to off-load audit records onto a different system or media than the system being audited.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.
1
Rule
Severity: Low
Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.
1
Rule
Severity: Medium
PostgreSQL must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for standalone systems.
1
Rule
Severity: Medium
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must perform centralized logging to capture and store log records.
2
Rule
Severity: Medium
The Dragos Platform must be configured to send backup audit records.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must, at a minimum, offload interconnected systems in real-time and offload standalone systems weekly.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to offload session (call) records to a central log server.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.
1
Rule
Severity: High
The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.
1
Rule
Severity: Medium
The ISEC7 SPHERE must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 SPHERE components, and offload audit records onto a different system or media than the system being audited.
1
Rule
Severity: Medium
The Ivanti EPMM server must be configured to transfer Ivanti EPMM server logs to another server for storage, analysis, and reporting. Note: Ivanti EPMM server logs include logs of UEM events and logs transferred to the Ivanti EPMM server by UEM agents of managed devices.
1
Rule
Severity: Medium
The Ivanti EPMM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
1
Rule
Severity: Low
Sentry must offload audit records onto a different system or media than the system being audited.
1
Rule
Severity: High
The Juniper EX switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must be configured to support centralized management and configuration of the audit log.
1
Rule
Severity: Medium
MKE must be configured to send audit data to a centralized log server.
1
Rule
Severity: Medium
MongoDB must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for standalone systems.
1
Rule
Severity: Medium
Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
1
Rule
Severity: Medium
SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.
1
Rule
Severity: Medium
The audit-audispd-plugins package must be installed on SLEM 5.
1
Rule
Severity: Medium
SLEM 5 must offload audit records onto a different system or media from the system being audited.
1
Rule
Severity: Medium
Audispd must take appropriate action when SLEM 5 audit storage is full.
1
Rule
Severity: Low
SLEM 5 audit event multiplexor must be configured to use Kerberos.
1
Rule
Severity: Medium
Audispd must offload audit records onto a different system or media from SLEM 5 being audited.
1
Rule
Severity: Medium
The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.
1
Rule
Severity: High
The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.
1
Rule
Severity: Medium
The TOSS audit records must be offloaded onto a different system or storage media from the system being audited.
1
Rule
Severity: Medium
TOSS must label all off-loaded audit logs before sending them to the central log server.
1
Rule
Severity: High
The NSX Manager must be configured to send logs to a central log server.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway Firewall must be configured to send traffic log entries to a central audit server.
1
Rule
Severity: Medium
TOSS must take appropriate action when the internal event queue is full.
1
Rule
Severity: Medium
The NSX Tier-1 Gateway firewall must be configured to send traffic log entries to a central audit server.
1
Rule
Severity: Medium
The ESXi host must offload logs via syslog.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules