STIG 3 of 10: WN11-AU-000505
Security Event Log Size
Requirement: The Security event log size must be configured to 1024000 KB or greater.
π STIG Information
| Property | Value |
|---|---|
| STIG ID | WN11-AU-000505 |
| Rule ID | SV-253338r958752_rule |
| Vuln ID | V-253338 |
| Severity | CAT II (Medium) |
| CCI | CCI-001849 |
π Compliance Framework Mapping
| Framework | Control ID | Description |
|---|---|---|
| NIST 800-53 | AU-4 | Audit Log Storage Capacity |
| NIST CSF | PR.DS-4, PR.PT-1 | Data Security, Audit Logging |
| ISO 27001:2022 | A.8.6 | Capacity Management |
| HIPAA | 164.306(a)(1) | Security Standards, Audit Controls |
| GDPR | 32.1.b | Security of Processing |
Why This Matters
The Security event log is critical for tracking authentication events, privilege use, and security policy changes. With a required size of 1024000 KB (~1 GB), this is significantly larger than other event logs due to the high volume and importance of security events. Adequate capacity ensures forensic evidence is preserved for incident response and compliance audits.
π§ Remediation Summary
| Setting | Value |
|---|---|
| Registry Path | HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security |
| Value Name | MaxSize |
| Required Value | 1024000 (DWORD) β Note: ~1 GB, much larger than other logs |
Remediation Walkthrough
Step 1: Initial Scan β FAILED β
Ran Tenable compliance scan with Windows 11 STIG audit policy enabled.
Result: The Security event log size check FAILED for target host 172.203.31.183.
Step 2: Verify Current Configuration
Checked if the Security log MaxSize registry value exists.
Command:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" -Name "MaxSize" -ErrorAction SilentlyContinue