STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-9 — Protection of Audit Information

CCI-001494

Definition

Protect audit tools from unauthorized modification.

Parent Control

AU-9Protection of Audit InformationAudit and Accountability

Linked STIG Checks (150)

V-279037CAT IIIThe ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools.Adobe ColdFusion Security Technical Implementation Guide V-274026CAT IIAmazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.Amazon Linux 2023 Security Technical Implementation Guide V-222948CAT II$CATALINA_HOME/bin folder permissions must be set to 750.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252534CAT IIThe macOS system must enable System Integrity Protection.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257240CAT IThe macOS system must enable System Integrity Protection.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268432CAT IIThe macOS system must configure audit log files to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268433CAT IIThe macOS system must configure the audit log folder to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268454CAT IIThe macOS system must enable security auditing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268456CAT IIThe macOS system must configure audit log files to be owned by root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268457CAT IIThe macOS system must configure audit log folders to be owned by root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268458CAT IIThe macOS system must configure the audit log files group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268459CAT IIThe macOS system must configure the audit log folders group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268460CAT IIThe macOS system must configure audit log files to mode 440 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268461CAT IIThe macOS system must configure audit log folders to mode 700 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268462CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268463CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268464CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268465CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268473CAT IIThe macOS system must configure audit_control group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268474CAT IIThe macOS system must configure audit_control owner to root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268475CAT IIThe macOS system must configure audit_control owner to mode 440 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268555CAT IThe macOS system must ensure System Integrity Protection is enabled.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-269095CAT IIThe macOS system must configure audit_control to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277040CAT IIThe macOS system must configure audit log files to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277041CAT IIThe macOS system must configure the audit log folder to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277062CAT IIThe macOS system must enable security auditing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277063CAT IIThe macOS system must configure audit log files to be owned by root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277064CAT IIThe macOS system must configure audit log folders to be owned by root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277065CAT IIThe macOS system must configure the audit log files group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277066CAT IIThe macOS system must configure the audit log folders group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277067CAT IIThe macOS system must configure audit log files to mode 440 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277068CAT IIThe macOS system must configure audit log folders to mode 700 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277069CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277070CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277071CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277072CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277080CAT IIThe macOS system must configure audit_control group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277081CAT IIThe macOS system must configure audit_control owner to root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277082CAT IIThe macOS system must configure audit_control owner to mode 440 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277083CAT IIThe macOS system must configure audit_control to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277165CAT IThe macOS system must ensure System Integrity Protection (SIP) is enabled.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204940CAT IIThe ALG must protect audit tools from unauthorized modification.Application Layer Gateway Security Requirements Guide V-222504CAT IIThe application must protect audit tools from unauthorized modification.Application Security and Development Security Technical Implementation Guide V-204736CAT IIThe application server must protect log tools from unauthorized modification.Application Server Security Requirements Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219195CAT IIThe Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238300CAT IIThe Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238301CAT IIThe Ubuntu operating system must configure audit tools to be owned by root.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238302CAT IIThe Ubuntu operating system must configure the audit tools to be group-owned by root.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260492CAT IIUbuntu 22.04 LTS must configure audit tools with a mode of "755" or less permissive.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260507CAT IIUbuntu 22.04 LTS must configure audit tools to be owned by "root".Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270821CAT IIUbuntu 24.04 LTS must configure audit tools with a mode of "0755" or less permissive.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270822CAT IIUbuntu 24.04 LTS must configure audit tools to be owned by root.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270823CAT IIUbuntu 24.04 LTS must configure the audit tools to be group owned by root.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-221918CAT IIThe Central Log Server must protect audit tools from unauthorized modification.Central Log Server Security Requirements Guide V-269545CAT IIAlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233060CAT IIThe container platform must protect audit tools from unauthorized modification.Container Platform Security Requirements Guide V-233618CAT IIPostgreSQL must protect its audit configuration from unauthorized modification.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261879CAT IIPostgreSQL must protect its audit configuration from unauthorized modification.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206542CAT IIThe DBMS must protect its audit configuration from unauthorized modification.Database Security Requirements Guide V-224152CAT IIThe EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213583CAT IIThe EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259232CAT IIThe EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-215753CAT IIThe BIG-IP Core implementation must be configured to protect audit tools from unauthorized modification.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-230216CAT IIThe BIG-IP Core implementation must be configured to activate a session lock to conceal information previously visible on the display for connections to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-278388CAT IINGINX must protect audit information from unauthorized access.F5 NGINX Security Technical Implementation Guide V-234187CAT IIThe FortiGate device must protect audit tools from unauthorized modification.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203673CAT IIThe operating system must protect audit tools from unauthorized modification.General Purpose Operating System Security Requirements Guide V-268256CAT IIThe HYCU virtual appliance must protect audit tools from unauthorized access, modification, and deletion.HYCU Protege Security Technical Implementation Guide V-215248CAT IIAIX audit tools must be owned by root.IBM AIX 7.x Security Technical Implementation Guide V-215249CAT IIAIX audit tools must be group-owned by audit.IBM AIX 7.x Security Technical Implementation Guide V-215250CAT IIAIX audit tools must be set to 4550 or less permissive.IBM AIX 7.x Security Technical Implementation Guide V-252574CAT IIThe IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-213686CAT IIDB2 must protect its audit configuration from unauthorized modification.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65079CAT IIThe DataPower Gateway must protect audit tools from unauthorized modification.IBM DataPower Network Device Management Security Technical Implementation Guide V-255852CAT IIThe WebSphere Application Server wsadmin file must be protected from unauthorized modification.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223554CAT IIIBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS ACF2 Security Technical Implementation Guide V-223701CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS RACF Security Technical Implementation Guide V-223881CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS TSS Security Technical Implementation Guide V-237932CAT IIThe IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-213824CAT IISQL Server and/or the operating system must protect its audit configuration from unauthorized modification.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213948CAT IISQL Server must protect its audit configuration from authorized and unauthorized access and modification.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205481CAT IIThe Mainframe Product must protect audit tools from unauthorized modification.Mainframe Product Security Requirements Guide V-253683CAT IIMariaDB must protect its audit configuration from unauthorized modification.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220353CAT IIMarkLogic Server must protect its audit configuration from unauthorized modification.MarkLogic Server v9 Security Technical Implementation Guide V-255332CAT IIThe audit information produced by Azure SQL Database must be protected from unauthorized deletion.Microsoft Azure SQL Database Security Technical Implementation Guide V-276299CAT IIAzure SQL Managed Instance must protect its audit configuration from unauthorized access, modification, and deletion.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271283CAT IISQL Server must protect its audit configuration from authorized and unauthorized access and modification.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-224880CAT IIEvent Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205731CAT IIWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254299CAT IIWindows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278046CAT IIWindows Server 2025 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2025 Security Technical Implementation Guide V-221162CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252136CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265909CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279337CAT IIMongoDB must protect its audit features from unauthorized access, modification, and removal.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202043CAT IIThe network device must protect audit tools from unauthorized modification.Network Device Management Security Requirements Guide V-254185CAT IINutanix AOS audit tools must be owned by root.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279576CAT IINutanix OS must configure the audit log files to be owned by root.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219765CAT IIThe DBMS must protect audit tools from unauthorized modification.Oracle Database 11.2g Security Technical Implementation Guide V-220281CAT IIThe system must protect audit tools from unauthorized modification.Oracle Database 12c Security Technical Implementation Guide V-270511CAT IIThe system must protect audit tools from unauthorized access, modification, or deletion.Oracle Database 19c Security Technical Implementation Guide V-221652CAT IThe Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.Oracle Linux 7 Security Technical Implementation Guide V-248808CAT IIOL 8 audit tools must be owned by root.Oracle Linux 8 Security Technical Implementation Guide V-248809CAT IIOL 8 audit tools must be group-owned by root.Oracle Linux 8 Security Technical Implementation Guide V-271569CAT IIOL 9 must use cryptographic mechanisms to protect the integrity of audit tools.Oracle Linux 9 Security Technical Implementation Guide V-235161CAT IIThe MySQL Database Server 8.0 must protect its audit configuration from unauthorized modification.Oracle MySQL 8.0 Security Technical Implementation Guide V-235958CAT IIOracle WebLogic must protect audit tools from unauthorized modification.Oracle WebLogic Server 12c Security Technical Implementation Guide V-214152CAT IIPostgreSQL must protect its audit configuration from unauthorized modification.PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281077CAT IIRHEL 10 must be configured so that audit tools are owned by "root".Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281078CAT IIRHEL 10 must be configured so that audit tools are group-owned by "root".Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281094CAT IIRHEL 10 must enforce a mode of "0755" or less permissive for audit tools.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204392CAT IThe Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-258137CAT IIRHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257535CAT IIOpenShift must protect audit tools from unauthorized access.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251206CAT IIRedis Enterprise DBMS must protect its audit configuration from unauthorized modification.Redis Enterprise 6.x Security Technical Implementation Guide V-275586CAT IIUbuntu OS must configure audit tools with a mode of "755" or less permissive.Riverbed NetIM OS Security Technical Implementation Guide V-275601CAT IIUbuntu OS must configure audit tools to be owned by "root".Riverbed NetIM OS Security Technical Implementation Guide V-256079CAT IThe Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.Riverbed NetProfiler Security Technical Implementation Guide V-261419CAT IISLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217203CAT IIThe SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216283CAT IIThe operating system must protect audit tools from unauthorized modification.Solaris 11 SPARC Security Technical Implementation Guide V-216048CAT IIThe operating system must protect audit tools from unauthorized modification.Solaris 11 X86 Security Technical Implementation Guide V-221935CAT IISplunk Enterprise installation directories must be secured.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251672CAT IISplunk Enterprise installation directories must be secured.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-94675CAT IISymantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized modification.Symantec ProxySG NDM Security Technical Implementation Guide V-241025CAT IIThe Tanium Server must protect audit tools from unauthorized access, modification, or deletion.Tanium 7.0 Security Technical Implementation Guide V-234069CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.3 Security Technical Implementation Guide V-254902CAT IIThe Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253831CAT IIThe Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.Tanium 7.x Security Technical Implementation Guide V-241128CAT IITrend Deep Security must protect audit tools from unauthorized modification.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-253022CAT IITOSS audit tools must be owned by "root".Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282534CAT IITOSS 5 must use cryptographic mechanisms to protect the integrity of audit tools.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240292CAT IIThe vRA PostgreSQL configuration files must have the correct ownership.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239789CAT IIThe vROps PostgreSQL DB must protect its audit configuration from unauthorized modification.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-240490CAT IIThe SLES for vRealize must protect audit tools from unauthorized modification.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239583CAT IIThe SLES for vRealize must protect audit tools from unauthorized modification.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256447CAT IIThe ESXi host must implement Secure Boot enforcement.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256523CAT IIThe Photon operating system must protect audit tools from unauthorized modification and deletion.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256593CAT IIVMware Postgres configuration files must not be accessible by unauthorized users.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258740CAT IIThe ESXi host must implement Secure Boot enforcement.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-258837CAT IIThe Photon operating system must protect audit tools from unauthorized access.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-259168CAT IIThe vCenter PostgreSQL service configuration files must not be accessible by unauthorized users.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-207422CAT IIThe VMM must protect audit tools from unauthorized modification.Virtual Machine Manager Security Requirements Guide V-73411CAT IIEvent Viewer must be protected from unauthorized modification and deletion.Windows Server 2016 Security Technical Implementation Guide V-73411CAT IIEvent Viewer must be protected from unauthorized modification and deletion.Windows Server 2016 Security Technical Implementation Guide V-93195CAT IIWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.Windows Server 2019 Security Technical Implementation Guide V-269576CAT IIXylok Security Suite must protect audit information from any type of unauthorized access.Xylok Security Suite 20.x Security Technical Implementation Guide