STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-5 — Response to Audit Logging Process Failures

CCI-000139

Definition

Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.

Parent Control

AU-5Response to Audit Logging Process FailuresAudit and Accountability

Linked STIG Checks (116)

V-237034CAT IIIThe A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.A10 Networks ADC ALG Security Technical Implementation Guide V-255593CAT IIIThe A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.A10 Networks ADC NDM Security Technical Implementation Guide V-204652CAT IIAAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.AAA Services Security Requirements Guide V-279070CAT IIColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Adobe ColdFusion Security Technical Implementation Guide V-268101CAT IINixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.Anduril NixOS Security Technical Implementation Guide V-268102CAT IINixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.Anduril NixOS Security Technical Implementation Guide V-268103CAT IINixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.Anduril NixOS Security Technical Implementation Guide V-268104CAT IINixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.Anduril NixOS Security Technical Implementation Guide V-214234CAT IIThe Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214313CAT IIThe Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-223010CAT IIThe application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-259468CAT IIThe macOS system must configure audit capacity warning.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268468CAT IIThe macOS system must configure audit capacity warning.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277075CAT IIThe macOS system must configure audit capacity warning.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204934CAT IIThe ALG must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.Application Layer Gateway Security Requirements Guide V-222485CAT IIThe application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Application Security and Development Security Technical Implementation Guide V-204728CAT IIThe application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.Application Server Security Requirements Guide V-272632CAT IICylanceON-PREM must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219226CAT IIThe Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238243CAT IIThe Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260593CAT IIIUbuntu 22.04 LTS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270819CAT IIIUbuntu 24.04 LTS must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-242597CAT IIThe Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. This is required for compliance with C2C Step 1.Cisco ISE NAC Security Technical Implementation Guide V-269523CAT IIAlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269524CAT IIAlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-235787CAT IIIDocker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270932CAT IIThe Dragos Platform must have notification and audit services installed.Dragos Platform 2.x Security Technical Implementation Guide V-260002CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-228983CAT IIIThe BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.F5 BIG-IP Device Management Security Technical Implementation Guide V-237575CAT IICounterACT must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.ForeScout CounterACT ALG Security Technical Implementation Guide V-233329CAT IIForescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. This is required for compliance with C2C Step 1.Forescout Network Access Control Security Technical Implementation Guide V-203611CAT IIThe operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.General Purpose Operating System Security Requirements Guide V-255269CAT IISSMC web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237820CAT IISNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255275CAT IIThe HPE 3PAR OS must be configured to send SNMP alerts to alert in the event of an audit processing failure.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-215241CAT IIAIX must be configured to generate an audit record when 75% of the audit file system is full.IBM AIX 7.x Security Technical Implementation Guide V-65209CAT IIThe DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.IBM DataPower ALG Security Technical Implementation Guide V-65073CAT IIThe DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.IBM DataPower Network Device Management Security Technical Implementation Guide V-255785CAT IIThe MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255733CAT IIThe MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-255844CAT IIIThe WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255845CAT IIThe WebSphere Application Server audit subsystem failure action must be set to Log warning.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223549CAT IIIBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.IBM z/OS ACF2 Security Technical Implementation Guide V-223772CAT IIIBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.IBM z/OS RACF Security Technical Implementation Guide V-224002CAT IIIBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.IBM z/OS TSS Security Technical Implementation Guide V-224765CAT IIThe ISEC7 SPHERE must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.ISEC7 Sphere Security Technical Implementation Guide V-251404CAT IIThe Ivanti EPMM server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Ivanti EPMM Server Security Technical Implementation Guide V-251404CAT IIThe Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-251021CAT IIIThe Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251021CAT IIIThe Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-66573CAT IIIFor local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.Juniper SRX SG NDM Security Technical Implementation Guide V-229016CAT IIThe Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-205471CAT IIThe Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.Mainframe Product Security Requirements Guide V-272889CAT IMicrosoft Defender for Endpoint (MDE) must be connected to a central log server.Microsoft Defender for Endpoint Security Technical Implementation Guide V-218786CAT IIBoth the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218739CAT IIBoth the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-254105CAT IINutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279425CAT IINutanix Cluster Check (NCC) must be configured to provide alerts to the system administrator (SA) and information system security officer (ISSO), immediately when audit storage reaches 75 percent capacity.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279569CAT IINutanix OS must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221765CAT IIThe Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.Oracle Linux 7 Security Technical Implementation Guide V-248724CAT IIThe OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.Oracle Linux 8 Security Technical Implementation Guide V-248725CAT IIThe OL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.Oracle Linux 8 Security Technical Implementation Guide V-271589CAT IIOL 9 must forward mail from postmaster to the root account using a postfix alias.Oracle Linux 9 Security Technical Implementation Guide V-271590CAT IIOL 9 must take appropriate action when a critical audit processing failure occurs.Oracle Linux 9 Security Technical Implementation Guide V-271591CAT IIThe OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.Oracle Linux 9 Security Technical Implementation Guide V-271744CAT IIOL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.Oracle Linux 9 Security Technical Implementation Guide V-235951CAT IIIOracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.Oracle WebLogic Server 12c Security Technical Implementation Guide V-235952CAT IIIOracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.Oracle WebLogic Server 12c Security Technical Implementation Guide V-235996CAT IIOracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.Oracle WebLogic Server 12c Security Technical Implementation Guide V-256900CAT IIAutomation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide V-280997CAT IIRHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280998CAT IIRHEL 10 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281103CAT IIRHEL 10 must take appropriate action when a critical audit processing failure occurs.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281114CAT IIRHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281270CAT IIRHEL 10 must forward mail from postmaster to the root account using a postfix alias.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204504CAT IIThe Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230388CAT IIThe RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230389CAT IIThe RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257953CAT IIRHEL 9 must forward mail from postmaster to the root account using a postfix alias.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258163CAT IIRHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258174CAT IIRHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258227CAT IIRHEL 9 must take appropriate action when a critical audit processing failure occurs.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275680CAT IIUbuntu OS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure.Riverbed NetIM OS Security Technical Implementation Guide V-92293CAT IIThe SEL-2740S must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.SEL-2740S NDM Security Technical Implementation Guide V-261423CAT IIThe information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261424CAT IIThe information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217194CAT IIThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217195CAT IIThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-22374CAT IIIThe audit system must alert the SA in the event of an audit processing failure.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-216273CAT IThe operating system must alert designated organizational officials in the event of an audit processing failure.Solaris 11 SPARC Security Technical Implementation Guide V-216038CAT IThe operating system must alert designated organizational officials in the event of an audit processing failure.Solaris 11 X86 Security Technical Implementation Guide V-240999CAT IITanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Tanium 7.0 Security Technical Implementation Guide V-234059CAT IITanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Tanium 7.3 Security Technical Implementation Guide V-254898CAT IIThe Tanium application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254842CAT IIThe Tanium operating system (TanOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253824CAT IIThe Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.Tanium 7.x Security Technical Implementation Guide V-241123CAT IITrend Deep Security must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-252975CAT IITOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282426CAT IITOSS 5 must forward mail from postmaster to the root account using a postfix alias.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282427CAT IITOSS 5 system administrators (SAs) and/or information system security officer (ISSOs) (at a minimum) must be alerted of an audit processing failure event.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282428CAT IITOSS 5 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282429CAT IITOSS 5 must take appropriate action when a critical audit processing failure occurs.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282492CAT IITOSS 5 must have the openssl-pkcs11 package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234335CAT IIThe UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Unified Endpoint Management Server Security Requirements Guide V-240051CAT IIHAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240356CAT IIThe SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240770CAT IItc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-239454CAT IIThe SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-241620CAT IItc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256733CAT IILookup Service log files must be offloaded to a central log server in real time.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256491CAT IIThe Photon operating system audit log must log space limit problems to syslog.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256806CAT IIvSphere UI log files must be moved to a permanent repository in accordance with site policy.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-258810CAT IIThe Photon operating system must alert the ISSO and SA in the event of an audit processing failure.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-207358CAT IIThe VMM must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.Virtual Machine Manager Security Requirements Guide V-206366CAT IIThe web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.Web Server Security Requirements Guide