Skip to content
Log In

CCI-000018

Automatically audit account creation actions.

Record Events that Modify User/Group Information

29 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/group

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/gshadow

25 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/security/opasswd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/passwd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/shadow

26 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers

11 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

10 rules found Severity: Medium

Logo

The Akamai Luna Portal must automatically audit account creation.

1 rule found Severity: Medium

Logo

The Arista Multilayer Switch must automatically audit account creation.

1 rule found Severity: Medium

Logo

The DBN-6300 must automatically audit account creation.

1 rule found Severity: Medium

Logo

The FortiGate device must automatically audit account creation.

1 rule found Severity: Medium

Logo

The HP FlexFabric Switch must automatically audit account creation.

1 rule found Severity: Medium

Logo

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

1 rule found Severity: Medium

Logo

CA VM:Secure product must be installed and operating.

1 rule found Severity: Medium

Logo

Nutanix AOS must audit all account actions.

1 rule found Severity: Medium

Logo

Oracle WebLogic must automatically audit account creation.

1 rule found Severity: Medium

Logo

Riverbed Optimization System (RiOS) must automatically generate a log event for account creation events.

1 rule found Severity: Low

Logo

The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

2 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

The BIG-IP appliance must automatically audit account creation.

1 rule found Severity: Medium

Logo

The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

The Arista network device must be configured to audit all administrator activity.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to automatically audit account creation.

1 rule found Severity: Medium

Logo

The Cisco switch must be configured to automatically audit account creation.

3 rules found Severity: Medium

Logo

For the local web-based account of last resort, the Cisco ISE must automatically audit account creation.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

1 rule found Severity: Medium

Logo

AIX must provide audit record generation functionality for DoD-defined auditable events.

1 rule found Severity: Medium

Logo

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to automatically audit account creation.

1 rule found Severity: Medium

Logo

Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

1 rule found Severity: Medium

Logo

Audit logging must be enabled on MKE.

1 rule found Severity: Medium

Logo

Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2016 must be configured to audit Account Management - User Account Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2016 must be configured to audit Account Management - User Account Management failures.

1 rule found Severity: Medium

Logo

Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.

1 rule found Severity: Medium

Logo

The network device must automatically audit account creation.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

1 rule found Severity: High

Logo

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

1 rule found Severity: High

Logo

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

NixOS must enable the audit daemon.

1 rule found Severity: Medium

Logo

AAA Services must be configured to automatically audit account creation.

1 rule found Severity: Medium

Logo

The macOS system must be configured to audit all administrative action events.

2 rules found Severity: Medium

Logo

The application must automatically audit account creation.

1 rule found Severity: Medium

Logo

The Cisco router must be configured to automatically audit account creation.

2 rules found Severity: Medium

Logo

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The Central Log Server must automatically audit account creation.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

1 rule found Severity: Medium

Logo

The container platform must automatically audit account creation.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must initiate session auditing upon startup.

1 rule found Severity: Medium

Logo

The operating system must audit all account creations.

1 rule found Severity: Medium

Logo

AOS must automatically audit account creation.

1 rule found Severity: Medium

Logo

The HYCU virtual appliance must automatically audit account creation.

1 rule found Severity: Medium

Logo

IBM RACF SETROPTS LOGOPTIONS must be properly configured.

1 rule found Severity: Medium

Logo

IBM z/OS Required SMF data record types must be collected.

1 rule found Severity: Medium

Logo

The Juniper router must be configured to automatically audit account creation.

1 rule found Severity: Medium

Logo

IBM z/OS required SMF data record types must be collected.

2 rules found Severity: Medium

Logo

For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.

1 rule found Severity: Medium

Logo

The Mainframe Product must automatically audit account creation.

1 rule found Severity: Medium

Logo

The system must be configured to audit Account Management - Security Group Management successes.

1 rule found Severity: Medium

Logo

The system must be configured to audit Account Management - User Account Management failures.

1 rule found Severity: Medium

Logo

Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2019 must be configured to audit Account Management - User Account Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2019 must be configured to audit Account Management - User Account Management failures.

1 rule found Severity: Medium

Logo

Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.

1 rule found Severity: Medium

Logo

The system must be configured to audit Account Management - User Account Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2022 must be configured to audit Account Management - Security Group Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2022 must be configured to audit Account Management - User Account Management successes.

1 rule found Severity: Medium

Logo

Windows Server 2022 must be configured to audit Account Management - User Account Management failures.

1 rule found Severity: Medium

Logo

Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes.

1 rule found Severity: Medium

Logo

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

1 rule found Severity: Medium

Logo

OpenShift must automatically audit account creation.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/shadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/passwd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/group".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

2 rules found Severity: Medium

Logo

The audit system must be configured to audit account creation.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

The VMM must automatically audit account creation.

1 rule found Severity: Medium

Logo

The UEM server must automatically audit account creation.

1 rule found Severity: Medium

Logo

The Photon operating system must audit all account creations.

3 rules found Severity: Medium

Logo