STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-9 — Protection of Audit Information

CCI-003831

Definition

Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Parent Control

AU-9Protection of Audit InformationAudit and Accountability

Linked STIG Checks (42)

V-279070CAT IIColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Adobe ColdFusion Security Technical Implementation Guide V-223010CAT IIThe application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-263550CAT IIThe application server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Application Server Security Requirements Guide V-272632CAT IICylanceON-PREM must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-263568CAT IIThe Central Log Server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Central Log Server Security Requirements Guide V-271932CAT IIThe Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Cisco ACI NDM Security Technical Implementation Guide V-239923CAT IIThe Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.Cisco ASA NDM Security Technical Implementation Guide V-215692CAT IIThe Cisco router must be configured to generate an alert for all audit failure events.Cisco IOS Router NDM Security Technical Implementation Guide V-220600CAT IIThe Cisco switch must be configured to generate an alert for all audit failure events.Cisco IOS Switch NDM Security Technical Implementation Guide V-215837CAT IIThe Cisco router must be configured to generate an alert for all audit failure events.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220548CAT IIThe Cisco switch must be configured to generate an alert for all audit failure events.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-216534CAT IIThe Cisco router must be configured to generate an alert for all audit failure events.Cisco IOS XR Router NDM Security Technical Implementation Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-220497CAT IIThe Cisco switch must be configured to generate an alert for all audit failure events.Cisco NX OS Switch NDM Security Technical Implementation Guide V-263588CAT IIThe container platform must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Container Platform Security Requirements Guide V-263605CAT IIThe DBMS must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Database Security Requirements Guide V-269791CAT IIThe Dell OS10 Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.Dell OS10 Switch NDM Security Technical Implementation Guide V-263626CAT IIThe DNS server implementation must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-283429CAT IThe HPE Alletra Storage ArcusOS device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-283073CAT IIThe HPE Alletra Storage ArcusOS device must have an SNMPv3 user account configured.HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide V-283074CAT IIThe HPE Alletra Storage ArcusOS device must be configured to collect and send SNMPv3 notifications.HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide V-268254CAT IIThe HYCU virtual appliance must generate an immediate real-time alert of all audit failure events requiring real-time alerts.HYCU Protege Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217333CAT IIThe Juniper router must be configured to generate an alert for all audit failure events.Juniper Router NDM Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263672CAT IIThe Mainframe Product must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Mainframe Product Security Requirements Guide V-276268CAT IIAzure SQL Server Managed Instance must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-279334CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-264293CAT IIThe network device must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Network Device Management Security Requirements Guide V-279430CAT IINutanix AOS must configure the Nutanix Cluster Check (NCC) to alert the information system security officer (ISSO)/information system security manager (ISSM) or designated personnel, at a minimum.Nutanix Acropolis Application Server Security Technical Implementation Guide V-228662CAT IIIThe Palo Alto Networks security platform must have alarms enabled.Palo Alto Networks NDM Security Technical Implementation Guide V-228672CAT IIThe Palo Alto Networks security platform must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.Palo Alto Networks NDM Security Technical Implementation Guide V-221623CAT IIISplunk Enterprise must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251667CAT IIISplunk Enterprise must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279252CAT IThe Edge SWG must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Symantec Edge SWG NDM Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-242259CAT IThe TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Trend Micro TippingPoint NDM Security Technical Implementation Guide V-264340CAT IIThe web server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Web Server Security Requirements Guide V-269586CAT IXylok Security Suite must use a central log server for auditing records.Xylok Security Suite 20.x Security Technical Implementation Guide