STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-6 (4) — Audit Record Review, Analysis, and Reporting

CCI-000154

Definition

Provide the capability to centrally review and analyze audit records from multiple components within the system.

Parent Control

AU-6 (4)Audit Record Review, Analysis, and ReportingAudit and Accountability

Linked STIG Checks (85)

V-274017CAT IIAmazon Linux 2023 must have the audit package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274018CAT IIAmazon Linux 2023 must produce audit records containing information to establish what type of events occurred.Amazon Linux 2023 Security Technical Implementation Guide V-274020CAT IIAmazon Linux 2023 must have the rsyslog package installed.Amazon Linux 2023 Security Technical Implementation Guide V-268107CAT IINixOS must have the packages required for offloading audit logs installed and running.Anduril NixOS Security Technical Implementation Guide V-268108CAT IIThe NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.Anduril NixOS Security Technical Implementation Guide V-268109CAT IINixOS must authenticate the remote logging server for off-loading audit logs.Anduril NixOS Security Technical Implementation Guide V-214346CAT IIAn Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-252534CAT IIThe macOS system must enable System Integrity Protection.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257240CAT IThe macOS system must enable System Integrity Protection.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259560CAT IThe macOS system must ensure System Integrity Protection is enabled.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268555CAT IThe macOS system must ensure System Integrity Protection is enabled.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277165CAT IThe macOS system must ensure System Integrity Protection (SIP) is enabled.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222480CAT IIThe application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.Application Security and Development Security Technical Implementation Guide V-222487CAT IIThe application must provide the capability to centrally review and analyze audit records from multiple components within the system.Application Security and Development Security Technical Implementation Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219225CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238298CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260590CAT IIUbuntu 22.04 LTS must have the "auditd" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260591CAT IIUbuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270656CAT IIUbuntu 24.04 LTS must have the "auditd" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270657CAT IIUbuntu 24.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206455CAT IIIThe Central Log Server must be configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.Central Log Server Security Requirements Guide V-269469CAT IIThe audit package must be installed on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269531CAT IIAlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269532CAT IIThe auditd service must be enabled on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233052CAT IIThe container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.Container Platform Security Requirements Guide V-235779CAT IIThe host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-203613CAT IIThe operating system must provide the capability to centrally review and analyze audit records from multiple components within the system.General Purpose Operating System Security Requirements Guide V-254764CAT IIGoogle Android 13 must be configured to enable audit logging.Google Android 13 COPE Security Technical Implementation Guide V-258377CAT IIGoogle Android 14 must be configured to enable audit logging.Google Android 14 COBO Security Technical Implementation Guide V-258408CAT IIGoogle Android 14 must be configured to enable audit logging.Google Android 14 COPE Security Technical Implementation Guide V-267430CAT IIGoogle Android 15 must be configured to enable audit logging.Google Android 15 COBO Security Technical Implementation Guide V-267525CAT IIGoogle Android 15 must be configured to enable audit logging.Google Android 15 COPE Security Technical Implementation Guide V-276748CAT IIGoogle Android 16 must be configured to enable audit logging.Google Android 16 COBO Security Technical Implementation Guide V-276850CAT IIGoogle Android 16 must be configured to enable audit logging.Google Android 16 COPE Security Technical Implementation Guide V-274317CAT IIHoneywell Android 13 must be configured to enable audit logging.Honeywell Android 13 COBO Security Technical Implementation Guide V-274413CAT IIHoneywell Android 13 must be configured to enable audit logging.Honeywell Android 13 COPE Security Technical Implementation Guide V-215246CAT IIAIX must provide audit record generation functionality for DoD-defined auditable events.IBM AIX 7.x Security Technical Implementation Guide V-55335CAT IIThe IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206874CAT IIThe IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.Intrusion Detection and Prevention Systems Security Requirements Guide V-205473CAT IIThe Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system.Mainframe Product Security Requirements Guide V-221209CAT IIExchange Queue monitoring must be configured with threshold and action.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228363CAT IIExchange Queue monitoring must be configured with threshold and action.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259584CAT IIExchange queue monitoring must be configured with threshold and action.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259659CAT IIExchange queue monitoring must be configured with threshold and action.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-260915CAT IIMKE must be configured to send audit data to a centralized log server.Mirantis Kubernetes Engine Security Technical Implementation Guide V-272172CAT IIMotorola Solutions Android 13 must be configured to enable audit logging.Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272349CAT IIMotorola Solutions Android 13 must be configured to enable audit logging.Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-254181CAT IINutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279565CAT IINutanix OS must have the audit.x86_64 package installed.Nutanix Acropolis GPOS Security Technical Implementation Guide V-248519CAT IIThe OL 8 audit package must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248520CAT IIOL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.Oracle Linux 8 Security Technical Implementation Guide V-271508CAT IIOL 9 must have the rsyslog package installed.Oracle Linux 9 Security Technical Implementation Guide V-271519CAT IIOL 9 must have the audit package installed.Oracle Linux 9 Security Technical Implementation Guide V-271520CAT IIOL 9 audit service must be enabled.Oracle Linux 9 Security Technical Implementation Guide V-271582CAT IIOL 9 must periodically flush audit records to disk to prevent the loss of audit records.Oracle Linux 9 Security Technical Implementation Guide V-253530CAT IIPrisma Cloud Compute must be configured to send events to the hosts' syslog.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-280983CAT IIRHEL 10 must have the "rsyslog" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280993CAT IIRHEL 10 must have the "audit" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280994CAT IIRHEL 10 must enable the audit service.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281111CAT IIRHEL 10 must periodically flush audit records to disk to ensure that audit records are not lost.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258140CAT IIRHEL 9 must have the rsyslog package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258151CAT IIRHEL 9 audit package must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258152CAT IIRHEL 9 audit service must be enabled.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258168CAT IIRHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257524CAT IIOpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257524CAT IIOpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275677CAT IIUbuntu OS must have the "auditd" package installed.Riverbed NetIM OS Security Technical Implementation Guide V-275678CAT IIUbuntu OS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Riverbed NetIM OS Security Technical Implementation Guide V-261411CAT IISLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217191CAT IISUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-241009CAT IITanium must provide the capability to centrally review and analyze audit records from multiple components within the system.Tanium 7.0 Security Technical Implementation Guide V-234031CAT IITanium must centrally review and analyze audit records from multiple components within the system.Tanium 7.3 Security Technical Implementation Guide V-254899CAT IIThe Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis of audit records.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253779CAT IIThe Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis.Tanium 7.x Security Technical Implementation Guide V-242187CAT IIThe SMS and TPS must provide log information in a format that can be extracted and used by centralized analysis tools.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-252973CAT IITOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282430CAT IITOSS 5 must periodically flush audit records to disk to prevent the loss of audit records.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-221651CAT IIThe MDM Agent must be configured to enable the following function: [selection: read audit logs of the MD]. This requirement is inherently met if the function is automatically implemented during MDM Agent install/device enrollment.VMware Workspace ONE UEM Security Technical Implementation Guide V-256378CAT IIRemote logging for ESXi hosts must be configured.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-207360CAT IIThe VMM must support the capability to centrally review and analyze audit records from multiple components within the system.Virtual Machine Manager Security Requirements Guide V-270099CAT IIZebra Android 13 must be configured to enable audit logging.Zebra Android 13 COPE Security Technical Implementation Guide V-283484CAT IIZebra Android 14 must be configured to enable audit logging.Zebra Technologies Android 14 COBO Security Technical Implementation Guide V-283584CAT IIZebra Android 14 must be configured to enable audit logging.Zebra Technologies Android 14 COPE Security Technical Implementation Guide