Capacity
CCI-000015
Support the management of system accounts using (organization-defined automated mechanisms).
5
Rule
Severity: Medium
Enforce pam_faillock for Local Accounts Only
5
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only
1
Rule
Severity: Medium
AAA Services must be configured to provide automated account management functions.
1
Rule
Severity: Medium
Compliance Guardian must provide automated mechanisms for supporting account management functions.
2
Rule
Severity: Medium
The application must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
DocAve must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
The BlackBerry UEM server must be configured to leverage the MDM platform user accounts and groups for BlackBerry UEM server user identification and CAC authentication.
3
Rule
Severity: Medium
Authentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.
2
Rule
Severity: Medium
IDMS must support the implementation of an external security manager (ESM) to handle account management and user accesses, etc.
1
Rule
Severity: High
The DBN-6300 must provide automated support for account management functions.
1
Rule
Severity: Medium
LDAP integration in Docker Enterprise must be configured.
1
Rule
Severity: High
The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.
1
Rule
Severity: High
The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.
1
Rule
Severity: Medium
DB2 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
1
Rule
Severity: Medium
The MaaS360 MDM server must be configured to leverage the MDM platform user accounts and groups for MaaS360 MDM server user identification and authentication.
1
Rule
Severity: Medium
Authentication of MaaS360 MDM platform accounts must be configured so they are implemented via an enterprise directory service.
1
Rule
Severity: Medium
Access to the MQ Appliance network element must use two or more authentication servers for the purpose of granting administrative access.
1
Rule
Severity: High
The IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.
2
Rule
Severity: Medium
The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication.
2
Rule
Severity: Medium
Authentication of Jamf Pro EMM server accounts must be configured so they are implemented either via an Authentication Gateway Service (AGS) which connects to the site DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or via strong password controls for the administrator local accounts.
2
Rule
Severity: Medium
The Mainframe Product must use an external security manager for all account management functions.
2
Rule
Severity: High
Azure SQL Database must enforce approved authorizations for logical access to database information and system resources in accordance with applicable access control policies.
1
Rule
Severity: Medium
SQL Server authentication and identity management must be integrated with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must provide automated support for account management functions.
1
Rule
Severity: Medium
Innoslate must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: High
The Samsung SDS EMM server must be configured to use one-time password in addition to username and password for administrator logon to the server.
1
Rule
Severity: High
The Samsung SDS EMM must be configured to leverage the MDM platform administrator accounts and groups for Samsung SDS EMM user identification and CAC authentication.
1
Rule
Severity: High
Authentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.
1
Rule
Severity: Medium
The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.
1
Rule
Severity: Medium
The Tanium Server must be configured to only use Microsoft Active Directory for account management functions.
4
Rule
Severity: Medium
The Tanium Application Server must be configured to only use LDAP for account management functions.
1
Rule
Severity: Medium
The Tanium Application Server must be configured to only use Microsoft Active Directory for account management functions.
2
Rule
Severity: Medium
The UEM server must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
The Workspace ONE UEM server must be configured to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.
4
Rule
Severity: High
PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
The DBMS must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: Medium
The container platform must use a centralized user management solution to support account management functions.
3
Rule
Severity: High
The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
CA-ACF2 OPTS GSO record must be set to ABORT mode.
1
Rule
Severity: Medium
The operating system must provide automated mechanisms for supporting account management functions.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured for centralized account management functions via LDAP.
2
Rule
Severity: Medium
The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.
2
Rule
Severity: Medium
The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.
2
Rule
Severity: Medium
The regular users default primary group must be staff (or equivalent) on AIX.
2
Rule
Severity: High
CA-TSS MODE Control Option must be set to FAIL.
2
Rule
Severity: High
IBM RACF must be installed and active on the system.
2
Rule
Severity: High
The Kubernetes Controller Manager must create unique service accounts for each work payload.
2
Rule
Severity: Medium
MarkLogic Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
MariaDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
3
Rule
Severity: High
MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
SQL Server databases must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: Medium
SQL Server must be configured to utilize the most-secure authentication method available.
1
Rule
Severity: Medium
The system must employ automated mechanisms for supporting Oracle user account management.
2
Rule
Severity: High
The system must employ automated mechanisms for supporting Oracle user account management.
2
Rule
Severity: High
MySQL Database Server 8.0 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: High
Redis Enterprise DBMS must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
2
Rule
Severity: Medium
RKE2 must use a centralized user management solution to support account management functions.
2
Rule
Severity: Medium
OpenShift must use a centralized user management solution to support account management functions.
2
Rule
Severity: Medium
The kubeadmin account must be disabled.
1
Rule
Severity: Medium
The VMM must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
The BIG-IP appliance must provide automated support for account management functions.
1
Rule
Severity: Medium
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions.
1
Rule
Severity: Medium
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.
1
Rule
Severity: Medium
AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Low
The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.
1
Rule
Severity: Low
The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified.
1
Rule
Severity: Low
The application must notify system administrators (SAs) and information system security officers (ISSOs) of account disabling actions.
1
Rule
Severity: Low
The application must notify system administrators (SAs) and information system security officers (ISSOs) of account removal actions.
1
Rule
Severity: Low
The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.
1
Rule
Severity: Low
For devices and hosts within its scope of coverage, the Central Log Server must be configured to notify the system administrator (SA) and information system security officer (ISSO) when account modification events are received.
1
Rule
Severity: Low
For devices and hosts within its scope of coverage, the Central Log Server must notify the system administrator (SA) and information system security officer (ISSO) when events indicating account disabling actions are received.
1
Rule
Severity: Low
For devices and hosts within its scope of coverage, the Central Log Server must notify the System Administrator (SA) and Information System Security Officer (ISSO) when events indicating account removal actions are received.
1
Rule
Severity: Low
The Central Log Server must notify system administrators and ISSO when accounts are created.
1
Rule
Severity: Medium
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
The container platform must notify system administrators and ISSO for account disabling actions.
1
Rule
Severity: Medium
The container platform must notify system administrators and ISSO for account removal actions.
1
Rule
Severity: Medium
The container platform must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
1
Rule
Severity: Medium
The operating system must notify system administrators and ISSOs when accounts are created.
1
Rule
Severity: Medium
The operating system must notify system administrators and ISSOs when accounts are modified.
1
Rule
Severity: Medium
The operating system must notify system administrators and ISSOs when accounts are disabled.
1
Rule
Severity: Medium
The operating system must notify system administrators and ISSOs when accounts are removed.
1
Rule
Severity: Medium
The operating system must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.
1
Rule
Severity: Medium
AIX must provide audit record generation functionality for DoD-defined auditable events.
1
Rule
Severity: High
The IBM Security zSecure Suite products must use an external security manager (RACF, ACF2, or TSS) for all account management functions.
1
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are removed.
1
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are modified.
1
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are deleted.
1
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are created.
1
Rule
Severity: Medium
IBM z/OS system administrator must develop a procedure to notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.
2
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are created.
2
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are modified.
2
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted.
2
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are removed.
1
Rule
Severity: Medium
The IBM z/OS system administrator (SA) must develop a process to notify information system security officers (ISSOs) of account enabling actions.
1
Rule
Severity: Medium
IBM z/OS system administrator (SA) must develop a procedure to notify SAs and information system security officers (ISSOs) of account enabling actions.
1
Rule
Severity: Low
The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
1
Rule
Severity: Low
For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.
1
Rule
Severity: Medium
In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.
1
Rule
Severity: High
The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
1
Rule
Severity: Medium
The Mainframe Product must notify system programmers and security administrators when accounts are created.
1
Rule
Severity: Medium
The Mainframe Product must notify system programmers and security administrators when accounts are modified.
1
Rule
Severity: Medium
The Mainframe Product must notify system programmers and security administrators for account disabling actions.
1
Rule
Severity: Medium
The Mainframe Product must notify system programmers and security administrators for account removal actions.
1
Rule
Severity: Medium
The Mainframe Product must notify system programmers and security administrators of account enabling actions.
1
Rule
Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
1
Rule
Severity: High
Azure SQL Databases must integrate with Azure Active Directory for providing account management and automation for all users, groups, roles, and any other principals.
1
Rule
Severity: Medium
Microsoft Intune service must notify system administrator and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/shadow".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/passwd".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/group".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
1
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
1
Rule
Severity: Medium
OpenShift must generate audit rules to capture account related actions.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
1
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
1
Rule
Severity: Medium
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
1
Rule
Severity: Medium
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
1
Rule
Severity: Low
Splunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, disabling).
1
Rule
Severity: Low
Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.
1
Rule
Severity: Low
Splunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, or disabling).
1
Rule
Severity: Medium
The Tanium Operating System (TanOS) must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.
1
Rule
Severity: Medium
The Tanium Operating System (TanOS) must audit and notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified.
1
Rule
Severity: Medium
The Tanium Operating System (TanOS) must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are removed.
1
Rule
Severity: Medium
Tanium must audit and notify system administrators (SAs) and information system security officers (ISSOs) when accounts are enabled.
1
Rule
Severity: Medium
Tanium must notify system administrator (SA) and the information system security officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
Tanium must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
Tanium must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.
1
Rule
Severity: Medium
Tanium must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.
1
Rule
Severity: Medium
Tanium must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Medium
Tanium must notify system administrator and information system security officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
Tanium must notify system administrators and the information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
Tanium must notify the system administrator and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Medium
Tanium must notify system administrators and the information system security officer (ISSO) for account disabling actions.
1
Rule
Severity: Medium
Tanium must notify system administrators and the information system security officer (ISSO) for account removal actions.
1
Rule
Severity: Medium
The VMM must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.
1
Rule
Severity: Medium
The VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
The VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are disabled.
1
Rule
Severity: Medium
The VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are removed.
1
Rule
Severity: Medium
The VMM must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.
1
Rule
Severity: Medium
The ESXi host must offload logs via syslog.
1
Rule
Severity: Medium
The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
1
Rule
Severity: Medium
The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.
1
Rule
Severity: Medium
The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.
1
Rule
Severity: Medium
The UEM server must notify system administrator (SA) and information system security officer (ISSO) of account enabling actions.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules