STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-9 — Protection of Audit Information

CCI-001495

Definition

Protect audit tools from unauthorized deletion.

Parent Control

AU-9Protection of Audit InformationAudit and Accountability

Linked STIG Checks (144)

V-279037CAT IIIThe ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools.Adobe ColdFusion Security Technical Implementation Guide V-274026CAT IIAmazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.Amazon Linux 2023 Security Technical Implementation Guide V-222948CAT II$CATALINA_HOME/bin folder permissions must be set to 750.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252534CAT IIThe macOS system must enable System Integrity Protection.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257240CAT IThe macOS system must enable System Integrity Protection.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268432CAT IIThe macOS system must configure audit log files to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268433CAT IIThe macOS system must configure the audit log folder to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268454CAT IIThe macOS system must enable security auditing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268456CAT IIThe macOS system must configure audit log files to be owned by root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268457CAT IIThe macOS system must configure audit log folders to be owned by root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268458CAT IIThe macOS system must configure the audit log files group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268459CAT IIThe macOS system must configure the audit log folders group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268460CAT IIThe macOS system must configure audit log files to mode 440 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268461CAT IIThe macOS system must configure audit log folders to mode 700 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268462CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268463CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268464CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268465CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268473CAT IIThe macOS system must configure audit_control group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268474CAT IIThe macOS system must configure audit_control owner to root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268475CAT IIThe macOS system must configure audit_control owner to mode 440 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268555CAT IThe macOS system must ensure System Integrity Protection is enabled.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-269095CAT IIThe macOS system must configure audit_control to not contain access control lists (ACLs).Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277040CAT IIThe macOS system must configure audit log files to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277041CAT IIThe macOS system must configure the audit log folder to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277062CAT IIThe macOS system must enable security auditing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277063CAT IIThe macOS system must configure audit log files to be owned by root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277064CAT IIThe macOS system must configure audit log folders to be owned by root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277065CAT IIThe macOS system must configure the audit log files group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277066CAT IIThe macOS system must configure the audit log folders group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277067CAT IIThe macOS system must configure audit log files to mode 440 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277068CAT IIThe macOS system must configure audit log folders to mode 700 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277069CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277070CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277071CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277072CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277080CAT IIThe macOS system must configure audit_control group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277081CAT IIThe macOS system must configure audit_control owner to root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277082CAT IIThe macOS system must configure audit_control owner to mode 440 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277083CAT IIThe macOS system must configure audit_control to not contain access control lists (ACLs).Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277165CAT IThe macOS system must ensure System Integrity Protection (SIP) is enabled.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204941CAT IIThe ALG must protect audit tools from unauthorized deletion.Application Layer Gateway Security Requirements Guide V-222505CAT IIThe application must protect audit tools from unauthorized deletion.Application Security and Development Security Technical Implementation Guide V-204737CAT IIThe application server must protect log tools from unauthorized deletion.Application Server Security Requirements Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219195CAT IIThe Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238344CAT IIThe Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238345CAT IIThe Ubuntu operating system must have directories that contain system commands owned by root.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238346CAT IIThe Ubuntu operating system must have directories that contain system commands group-owned by root.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260485CAT IIUbuntu 22.04 LTS must have directories that contain system commands set to a mode of "755" or less permissive.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260493CAT IIUbuntu 22.04 LTS must have directories that contain system commands owned by "root".Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260494CAT IIUbuntu 22.04 LTS must have directories that contain system commands group-owned by "root".Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270824CAT IIUbuntu 24.04 LTS must have directories that contain system commands set to a mode of "0755" or less permissive.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270825CAT IIUbuntu 24.04 LTS must have directories that contain system commands owned by root.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270826CAT IIUbuntu 24.04 LTS must have directories that contain system commands group-owned by root.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-221919CAT IIThe Central Log Server must protect audit tools from unauthorized deletion.Central Log Server Security Requirements Guide V-269542CAT IIAlmaLinux OS 9 audit tools must be owned by root.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269543CAT IIAlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233061CAT IIThe container platform must protect audit tools from unauthorized deletion.Container Platform Security Requirements Guide V-233609CAT IIPostgreSQL must protect its audit features from unauthorized removal.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261880CAT IIPostgreSQL must protect its audit features from unauthorized removal.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206543CAT IIThe DBMS must protect its audit features from unauthorized removal.Database Security Requirements Guide V-224153CAT IIThe EDB Postgres Advanced Server must protect its audit features from unauthorized removal.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213584CAT IIThe EDB Postgres Advanced Server must protect its audit features from unauthorized removal.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259233CAT IIThe EDB Postgres Advanced Server must protect its audit features from unauthorized removal.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-215754CAT IIThe BIG-IP Core implementation must be configured to protect audit tools from unauthorized deletion.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-278388CAT IINGINX must protect audit information from unauthorized access.F5 NGINX Security Technical Implementation Guide V-203674CAT IIThe operating system must protect audit tools from unauthorized deletion.General Purpose Operating System Security Requirements Guide V-268256CAT IIThe HYCU virtual appliance must protect audit tools from unauthorized access, modification, and deletion.HYCU Protege Security Technical Implementation Guide V-215248CAT IIAIX audit tools must be owned by root.IBM AIX 7.x Security Technical Implementation Guide V-215249CAT IIAIX audit tools must be group-owned by audit.IBM AIX 7.x Security Technical Implementation Guide V-215250CAT IIAIX audit tools must be set to 4550 or less permissive.IBM AIX 7.x Security Technical Implementation Guide V-252574CAT IIThe IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-213687CAT IIDB2 must protect its audit features from unauthorized removal.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65081CAT IIThe DataPower Gateway must protect audit tools from unauthorized deletion.IBM DataPower Network Device Management Security Technical Implementation Guide V-255853CAT IIThe WebSphere Application Server wsadmin file must be protected from unauthorized deletion.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223554CAT IIIBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS ACF2 Security Technical Implementation Guide V-223701CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS RACF Security Technical Implementation Guide V-223881CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS TSS Security Technical Implementation Guide V-237932CAT IIThe IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-213825CAT IISQL Server and the operating system must protect SQL Server audit features from unauthorized removal.MS SQL Server 2014 Instance Security Technical Implementation Guide V-205482CAT IIThe Mainframe Product must protect audit tools from unauthorized deletion.Mainframe Product Security Requirements Guide V-253684CAT IIMariaDB must protect its audit features from unauthorized removal.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220354CAT IIMarkLogic Server must protect its audit features from unauthorized removal.MarkLogic Server v9 Security Technical Implementation Guide V-255332CAT IIThe audit information produced by Azure SQL Database must be protected from unauthorized deletion.Microsoft Azure SQL Database Security Technical Implementation Guide V-276299CAT IIAzure SQL Managed Instance must protect its audit configuration from unauthorized access, modification, and deletion.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271283CAT IISQL Server must protect its audit configuration from authorized and unauthorized access and modification.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-224880CAT IIEvent Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205731CAT IIWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254299CAT IIWindows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278046CAT IIWindows Server 2025 Event Viewer must be protected from unauthorized modification and deletion.Microsoft Windows Server 2025 Security Technical Implementation Guide V-221162CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252136CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265909CAT IIMongoDB must protect its audit features from unauthorized access.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279337CAT IIMongoDB must protect its audit features from unauthorized access, modification, and removal.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202044CAT IIThe network device must protect audit tools from unauthorized deletion.Network Device Management Security Requirements Guide V-254186CAT IINutanix AOS audit tools must be group-owned by root.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279576CAT IINutanix OS must configure the audit log files to be owned by root.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219766CAT IIThe DBMS must protect audit tools from unauthorized deletion.Oracle Database 11.2g Security Technical Implementation Guide V-220282CAT IIThe system must protect audit tools from unauthorized deletion.Oracle Database 12c Security Technical Implementation Guide V-270511CAT IIThe system must protect audit tools from unauthorized access, modification, or deletion.Oracle Database 19c Security Technical Implementation Guide V-248808CAT IIOL 8 audit tools must be owned by root.Oracle Linux 8 Security Technical Implementation Guide V-248809CAT IIOL 8 audit tools must be group-owned by root.Oracle Linux 8 Security Technical Implementation Guide V-271569CAT IIOL 9 must use cryptographic mechanisms to protect the integrity of audit tools.Oracle Linux 9 Security Technical Implementation Guide V-235162CAT IIThe MySQL Database Server 8.0 must protect its audit features from unauthorized removal.Oracle MySQL 8.0 Security Technical Implementation Guide V-235959CAT IIOracle WebLogic must protect audit tools from unauthorized deletion.Oracle WebLogic Server 12c Security Technical Implementation Guide V-214143CAT IIPostgreSQL must protect its audit features from unauthorized removal.PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281077CAT IIRHEL 10 must be configured so that audit tools are owned by "root".Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281078CAT IIRHEL 10 must be configured so that audit tools are group-owned by "root".Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281094CAT IIRHEL 10 must enforce a mode of "0755" or less permissive for audit tools.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258137CAT IIRHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257535CAT IIOpenShift must protect audit tools from unauthorized access.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251207CAT IIRedis Enterprise DBMS must protect its audit features from unauthorized removal.Redis Enterprise 6.x Security Technical Implementation Guide V-275579CAT IIUbuntu OS must have directories that contain system commands set to a mode of "755" or less permissive.Riverbed NetIM OS Security Technical Implementation Guide V-275587CAT IIUbuntu OS must have directories that contain system commands owned by "root".Riverbed NetIM OS Security Technical Implementation Guide V-275588CAT IIUbuntu OS must have directories that contain system commands group-owned by "root".Riverbed NetIM OS Security Technical Implementation Guide V-256079CAT IThe Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.Riverbed NetProfiler Security Technical Implementation Guide V-261419CAT IISLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217203CAT IIThe SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216284CAT IIThe operating system must protect audit tools from unauthorized deletion.Solaris 11 SPARC Security Technical Implementation Guide V-216049CAT IIThe operating system must protect audit tools from unauthorized deletion.Solaris 11 X86 Security Technical Implementation Guide V-221935CAT IISplunk Enterprise installation directories must be secured.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251672CAT IISplunk Enterprise installation directories must be secured.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-241025CAT IIThe Tanium Server must protect audit tools from unauthorized access, modification, or deletion.Tanium 7.0 Security Technical Implementation Guide V-234069CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.3 Security Technical Implementation Guide V-254902CAT IIThe Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253831CAT IIThe Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.Tanium 7.x Security Technical Implementation Guide V-241129CAT IITrend Deep Security must protect audit tools from unauthorized deletion.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-253022CAT IITOSS audit tools must be owned by "root".Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282534CAT IITOSS 5 must use cryptographic mechanisms to protect the integrity of audit tools.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240293CAT IIThe vRA PostgreSQL configuration files must have the correct group-ownership.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239790CAT IIThe vROps PostgreSQL DB must protect its audit features from unauthorized removal.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-240491CAT IIThe SLES for vRealize must protect audit tools from unauthorized deletion.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239584CAT IIThe SLES for vRealize must protect audit tools from unauthorized deletion.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256523CAT IIThe Photon operating system must protect audit tools from unauthorized modification and deletion.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256593CAT IIVMware Postgres configuration files must not be accessible by unauthorized users.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258740CAT IIThe ESXi host must implement Secure Boot enforcement.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-258837CAT IIThe Photon operating system must protect audit tools from unauthorized access.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-259168CAT IIThe vCenter PostgreSQL service configuration files must not be accessible by unauthorized users.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-207423CAT IIThe VMM must protect audit tools from unauthorized deletion.Virtual Machine Manager Security Requirements Guide V-269576CAT IIXylok Security Suite must protect audit information from any type of unauthorized access.Xylok Security Suite 20.x Security Technical Implementation Guide