STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-12 (3) — Audit Record Generation

CCI-001914

Definition

Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.

Parent Control

AU-12 (3)Audit Record GenerationAudit and Accountability

Linked STIG Checks (49)

V-274017CAT IIAmazon Linux 2023 must have the audit package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274018CAT IIAmazon Linux 2023 must produce audit records containing information to establish what type of events occurred.Amazon Linux 2023 Security Technical Implementation Guide V-252464CAT IIThe macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257170CAT IIThe macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268454CAT IIThe macOS system must enable security auditing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277062CAT IIThe macOS system must enable security auditing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-219225CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238298CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260590CAT IIUbuntu 22.04 LTS must have the "auditd" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260591CAT IIUbuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270656CAT IIUbuntu 24.04 LTS must have the "auditd" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270657CAT IIUbuntu 24.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-241819CAT IIIThe System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.Central Log Server Security Requirements Guide V-241820CAT IIIThe Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.Central Log Server Security Requirements Guide V-269469CAT IIThe audit package must be installed on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269532CAT IIThe auditd service must be enabled on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233600CAT IIPostgreSQL must provide the means for individuals in authorized roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.Crunchy Data PostgreSQL Security Technical Implementation Guide V-255567CAT IIIThe DBN-6300 must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time.DBN-6300 NDM Security Technical Implementation Guide V-255627CAT IICounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.ForeScout CounterACT NDM Security Technical Implementation Guide V-203699CAT IIThe operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.General Purpose Operating System Security Requirements Guide V-215252CAT IIAIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.IBM AIX 7.x Security Technical Implementation Guide V-65141CAT IIThe DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.IBM DataPower Network Device Management Security Technical Implementation Guide V-223463CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223697CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223882CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-220978CAT IIThe Manage auditing and security log user right must only be assigned to the Administrators group.Microsoft Windows 10 Security Technical Implementation Guide V-253308CAT IIThe system must be configured to audit Account Management - Security Group Management successes.Microsoft Windows 11 Security Technical Implementation Guide V-225086CAT IIThe Manage auditing and security log user right must only be assigned to the Administrators group.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205643CAT IIWindows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254507CAT IIWindows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278257CAT IIThe Windows Server 2025 "Manage auditing and security log" user right must only be assigned to the Administrators group.Microsoft Windows Server 2025 Security Technical Implementation Guide V-248519CAT IIThe OL 8 audit package must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248520CAT IIOL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.Oracle Linux 8 Security Technical Implementation Guide V-271519CAT IIOL 9 must have the audit package installed.Oracle Linux 9 Security Technical Implementation Guide V-271520CAT IIOL 9 audit service must be enabled.Oracle Linux 9 Security Technical Implementation Guide V-280993CAT IIRHEL 10 must have the "audit" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280994CAT IIRHEL 10 must enable the audit service.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258151CAT IIRHEL 9 audit package must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258152CAT IIRHEL 9 audit service must be enabled.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275677CAT IIUbuntu OS must have the "auditd" package installed.Riverbed NetIM OS Security Technical Implementation Guide V-275678CAT IIUbuntu OS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Riverbed NetIM OS Security Technical Implementation Guide V-261410CAT IISLEM 5 must have the auditing package installed.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261462CAT IISLEM 5 must generate audit records for all uses of privileged functions.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217190CAT IIThe SUSE operating system must have the auditing package installed.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217209CAT IIIThe SUSE operating system must generate audit records for all uses of the privileged functions.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-246917CAT IIIThe System Administrator (SA) and Information System Security Officer (ISSO) must configure the retention of the log records based on the defined security plan.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251665CAT IIIThe System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on the defined security plan.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-69201CAT IIThe NSX vCenter must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time.VMware NSX Manager Security Technical Implementation Guide V-207449CAT IIThe VMM must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all VMM components, based on all selectable event criteria in near real time.Virtual Machine Manager Security Requirements Guide