Information Security
CIS Safeguard 8.3 - Ensure Adequate Audit Log Storage
Last modified 7/8/2021
Objective
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Guidance
The Information Security Office provides the following guidance for complying with CIS Control 8 - Audit Log Management.
- Windows Desktop
The Information Security Office manages a baseline configuration for complying with CIS Control 8 - Audit Log Management. Devices successfully configured with the items below will be considered compliant.
- Deploy Configuration Baseline
Deploy the Configuration Baseline named ISU CIS Control 08 - Audit Log Management, with remediation enabled to your devices using Microsoft Endpoint Configuration Manager (ConfigMgr).
For more information, follow this procedure here - Deploying a ConfigMgr Configuration Baseline Procedure
- Configuration Baseline Settings
Configuration Item - ISU CIS Safeguard 8.3
Windows Registry
- Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
- Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
- Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
- Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
- Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
- Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
- Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
- Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
- Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
- Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
- Verify Device Compliance
Monitor your deployment of Configuration Baseline ISU CIS Control 08 - Audit Log Management in ConfigMgr.
For more information, follow this procedure here - Monitoring a ConfigMgr Configuration Baseline Procedure
Additional Information
The following items are to provide context or better understanding of this standard:
- CIS Controls v8 License Statement
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/bync-nd/4.0/legalcode). To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.®).