STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-5 — Response to Audit Logging Process Failures

CCI-000140

Definition

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

Parent Control

AU-5Response to Audit Logging Process FailuresAudit and Accountability

Linked STIG Checks (101)

V-268105CAT IIThe NixOS audit system must take appropriate action when the audit storage volume is full.Anduril NixOS Security Technical Implementation Guide V-268106CAT IIThe NixOS audit system must take appropriate action when an audit processing failure occurs.Anduril NixOS Security Technical Implementation Guide V-252465CAT IIThe macOS system must shut down by default upon audit failure (unless availability is an overriding concern).Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257171CAT IIThe macOS system must shut down by default upon audit failure (unless availability is an overriding concern).Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259455CAT IIThe macOS system must configure system to shut down upon audit failure.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259469CAT IIThe macOS system must configure audit failure notification.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268455CAT IIThe macOS system must be configured to shut down upon audit failure.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268469CAT IIThe macOS system must configure audit failure notification.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-222486CAT IIThe application must shut down by default upon audit failure (unless availability is an overriding concern).Application Security and Development Security Technical Implementation Guide V-255502CAT IIThe CA API Gateway must shut down by default upon audit failure (unless availability is an overriding concern).CA API Gateway NDM Security Technical Implementation Guide V-219227CAT IIThe Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238244CAT IIThe Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260594CAT IIUbuntu 22.04 LTS must shut down by default upon audit failure.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-239857CAT IIThe Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.Cisco ASA Firewall Security Technical Implementation Guide V-239881CAT IIThe Cisco ASA must be configured to queue log records locally In the event that the central audit server is down or not reachable.Cisco ASA IPS Security Technical Implementation Guide V-242598CAT IIThe Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure. This is required for compliance with C2C Step 1.Cisco ISE NAC Security Technical Implementation Guide V-269525CAT IIAlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269526CAT IIAlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269527CAT IIAlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269528CAT IIAlmaLinux OS 9 audit system must make full use of the audit storage space.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269529CAT IIAlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269530CAT IIAlmaLinux OS 9 audit system must retain an optimal number of audit records.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233536CAT IIIPostgreSQL must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.Crunchy Data PostgreSQL Security Technical Implementation Guide V-233537CAT IIPostgreSQL must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261873CAT IIPostgreSQL must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.Crunchy Data Postgres 16 Security Technical Implementation Guide V-261874CAT IIPostgreSQL must be configurable to overwrite audit log records, oldest first (first-in-first-out [FIFO]), in the event of unavailability of space for more audit log records.Crunchy Data Postgres 16 Security Technical Implementation Guide V-237556CAT IIIn the event of a logging failure, caused by loss of communications with the central logging server, the DBN-6300 must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.DBN-6300 IDPS Security Technical Implementation Guide V-237557CAT IIIn the event of a logging failure caused by the lack of log record storage capacity, the DBN-6300 must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.DBN-6300 IDPS Security Technical Implementation Guide V-224146CAT IIThe EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-224147CAT IThe EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213577CAT IIThe EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-213578CAT IThe EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259226CAT IIThe EDB Postgres Advanced Server must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-259227CAT IIThe EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-266257CAT IIIIn the event that communication with the central audit server is lost, the F5 BIG-IP appliance must continue to queue traffic log records locally.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-237583CAT IICounterACT must use an Enterprise Manager or other high availability solution to ensure redundancy in case of audit failure in this critical network access control and security service.ForeScout CounterACT ALG Security Technical Implementation Guide V-234140CAT IIIn the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally.Fortinet FortiGate Firewall Security Technical Implementation Guide V-213681CAT IIUnless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-255796CAT IIThe MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250327CAT IIThe WebSphere Liberty Server must be configured to offload logs to a centralized system.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255846CAT IIIThe WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255847CAT IIIThe WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223550CAT IIIBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).IBM z/OS ACF2 Security Technical Implementation Guide V-223773CAT IIIBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).IBM z/OS RACF Security Technical Implementation Guide V-224075CAT IIIBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).IBM z/OS TSS Security Technical Implementation Guide V-34555CAT IIIn the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-55333CAT IIIn the event of a logging failure, caused by loss of communications with the central logging server, the IDPS must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-66481CAT IIIn the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.Juniper SRX SG NDM Security Technical Implementation Guide V-214522CAT IIIn the event that communications with the Syslog server is lost, the Juniper SRX Services Gateway must continue to queue traffic log records locally.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-229017CAT IIThe Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-213819CAT IIUnless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213860CAT IWhere availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213942CAT IISQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.MS SQL Server 2016 Instance Security Technical Implementation Guide V-213943CAT IISQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.MS SQL Server 2016 Instance Security Technical Implementation Guide V-253677CAT IIMariaDB must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.MariaDB Enterprise 10.x Security Technical Implementation Guide V-253678CAT IIMariaDB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220348CAT IIMarkLogic Server must shut down by default upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.MarkLogic Server v9 Security Technical Implementation Guide V-241994CAT IIIWindows Defender Firewall with Advanced Security log size must be configured for domain connections.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-241999CAT IIIWindows Defender Firewall with Advanced Security log size must be configured for private network connections.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-242006CAT IIIWindows Defender Firewall with Advanced Security log size must be configured for public network connections.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-260915CAT IIMKE must be configured to send audit data to a centralized log server.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221160CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252134CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265907CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-254180CAT IINutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-219789CAT IIDisk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.Oracle Database 11.2g Security Technical Implementation Guide V-248726CAT IIThe OL 8 System must take appropriate action when an audit processing failure occurs.Oracle Linux 8 Security Technical Implementation Guide V-248728CAT IIThe OL 8 audit system must take appropriate action when the audit storage volume is full.Oracle Linux 8 Security Technical Implementation Guide V-271590CAT IIOL 9 must take appropriate action when a critical audit processing failure occurs.Oracle Linux 9 Security Technical Implementation Guide V-235953CAT IIIOracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.Oracle WebLogic Server 12c Security Technical Implementation Guide V-207691CAT IIIn the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.Palo Alto Networks IDPS Security Technical Implementation Guide V-252844CAT IIRancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-256901CAT IIAutomation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide V-256902CAT IIAutomation Controller must be configured to fail over to another system in the event of log subsystem failure.Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide V-230390CAT IIThe RHEL 8 System must take appropriate action when an audit processing failure occurs.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230392CAT IIThe RHEL 8 audit system must take appropriate action when the audit storage volume is full.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258153CAT IIRHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258154CAT IIRHEL 9 audit system must take appropriate action when the audit storage volume is full.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258160CAT IIRHEL 9 audit system must take appropriate action when the audit files have reached maximum size.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258227CAT IIRHEL 9 must take appropriate action when a critical audit processing failure occurs.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257523CAT IIOpenShift must take appropriate action upon an audit failure.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257522CAT IIAll audit records must generate the event results within OpenShift.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257523CAT IIOpenShift must take appropriate action upon an audit failure.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251199CAT IIRedis Enterprise DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.Redis Enterprise 6.x Security Technical Implementation Guide V-251200CAT IIRedis Enterprise DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.Redis Enterprise 6.x Security Technical Implementation Guide V-261415CAT IISLEM 5 audit system must take appropriate action when the audit storage volume is full.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217196CAT IIThe SUSE operating system audit system must take appropriate action when the audit storage volume is full.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216276CAT IIThe operating system must shut down by default upon audit failure (unless availability is an overriding concern).Solaris 11 SPARC Security Technical Implementation Guide V-216041CAT IIThe operating system must shut down by default upon audit failure (unless availability is an overriding concern).Solaris 11 X86 Security Technical Implementation Guide V-242176CAT IIThe TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-242186CAT IIIn the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-252973CAT IITOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-252976CAT IITOSS must take appropriate action when an audit processing failure occurs.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-240287CAT IIIvRA PostgreSQL database must have log_truncate_on_rotation enabled.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239784CAT IIIThe vROps PostgreSQL DB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-251763CAT IIEach NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide V-251738CAT IIThe NSX-T Tier-0 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure communications with the central audit server.VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide V-240357CAT IIThe SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239455CAT IIThe SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256492CAT IIThe Photon operating system audit log must attempt to log audit failures to syslog.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256594CAT IIVMware Postgres must be configured to overwrite older logs when necessary.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide