AU-3(2) — Centralized Management of Planned Audit Record Content

Manage audit record content centrally so that all systems capture consistent, planned information. Do not leave it up to individual system admins to decide what gets logged.

Example 1: Use Group Policy to centrally deploy your Advanced Audit Policy to all Windows systems in the domain. Create a single GPO linked at the domain level with all your audit settings configured. This ensures every Windows system logs the same event categories.

Example 2: For Linux systems, deploy a standardized auditd configuration using your configuration management tool (Ansible, Puppet, Chef). Maintain a single audit.rules file that defines what to log, and push it to all Linux hosts. Include rules for file access, privilege escalation, and system calls.