CCI-000133

Enable audit Service

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Ensure the libaudit1 package as a part of audit Subsystem is Installed

The A10 Networks ADC, when used to load balance web applications, must enable external logging for accessing Web Application Firewall data event messages.

The A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.

AAA Services configuration audit records must identify the source of the events.

The Apache web server must produce log records containing sufficient information to establish what type of events occurred.

An Apache web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

The ALG must produce audit records containing information to establish the source of the events.

The Arista router must be configured to produce audit records containing information to establish where the events occurred.

The application server must produce log records containing sufficient information to establish the sources of the events.

The Arista network device must be configured to capture all DOD auditable events.

When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.

The CA API Gateway must produce audit records containing information to establish the source of the events.

A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.

The Central Log Server must produce audit records containing information to establish the source of the events.

The DBN-6300 must produce audit log records containing information to establish the source of events.

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

The DNS server implementation must produce audit records containing information to establish the source of the events.

The firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.

The FortiGate firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.

The HP FlexFabric Switch must produce audit log records containing information to establish the source of events.

The HYCU server must produce audit records containing information to establish when events occurred, where events occurred, the source of the event, the outcome of the event, and identity of any individual or process associated with the event.

The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.

The WebSphere Liberty Server must log remote session and security activity.

The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The WebSphere Application Server audit event type filters must be configured.

CA VM:Secure product must be installed and operating.

The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.

JBoss must be configured to record the IP address and port information used by management interface network traffic.

The Sentry must produce audit records containing information to establish the source of the events.

The Juniper router must be configured to produce audit records containing information to establish the source of the events.

The Mainframe Product must produce audit records containing information to establish the source of the events.

Exchange Circular Logging must be disabled.

Exchange Email Subject Line logging must be disabled.

Exchange Message Tracking Logging must be enabled.

SQL Server must produce Trace or Audit records containing sufficient information to establish the sources (origins) of the events.

The network device must produce audit log records containing information to establish the source of events.

Nutanix AOS must produce audit records containing information to establish the source of events.

OHS must have a log format defined for log records that allow the establishment of the source of events.

OHS must have a SSL log format defined for log records that allow the establishment of the source of events.

OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.

OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.

The router must be configured to produce audit records containing information to establish the source of the events.

The SDN controller must be configured to produce audit records containing information to establish the source of the events.

Symantec ProxySG must produce audit records containing information to establish the source of the events.

The SMS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address by sending all audit and system logs to a centralized syslog server.

The UEM server must be configured to produce audit records containing information to establish the source of the events.

The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.

The VPN Gateway must generate log records containing information to establish the source of the events.

Audit records content must contain valid information to allow for proper incident reporting.

The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

AccessLogValve must be configured for each application context.

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The macOS system must enable security auditing.

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

The Cisco ASA must be configured to produce audit records containing information to establish the source of the event.

PostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.

The Cisco ASA remote access VPN server must be configured to generate log records containing information to establish the source of the events.

The Cisco router must be configured to produce audit records containing information to establish the source of the events.

The Cisco ASA must be configured to produce audit log records containing information to establish the source of events.

The Cisco switch must be configured to produce audit records containing information to establish the source of the events.

The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.

All audit records must identify the source of the event within the container platform.

The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the sources (origins) of the events.

The operating system must produce audit records containing information to establish the source of the events.

SSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.

IBM z/OS Required SMF data record types must be collected.

IBM z/OS must specify SMF data options to assure appropriate activation.

IBM RACF SETROPTS LOGOPTIONS must be properly configured.

IBM z/OS required SMF data record types must be collected.

IBM z/OS must specify SMF data options to ensure appropriate activation.

The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.

The Juniper EX switch must be configured to produce audit log records containing information to establish the source of events.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

Exchange email subject line logging must be disabled.

Exchange message tracking logging must be enabled.

Exchange circular logging must be disabled.

An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.

An IIS 10.0 web server behind a load balancer or proxy server must produce log records containing the source client IP and destination information.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The Palo Alto Networks security platform must log violations of security policies.

The Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.

The Palo Alto Networks security platform must produce audit log records containing information (FQDN, unique hostname, management IP address) to establish the source of events.

The Automation Controller must generate the appropriate log records.

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

All audit records must generate the event results within OpenShift.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

Audit records must include the sources of the events that occurred.

The VMM must produce audit records containing information to establish the source of the events.

VAMI must produce log records containing sufficient information to establish what type of events occurred.

Performance Charts must record user access in a format that enables monitoring of remote access.

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

Lookup Service must record user access in a format that enables monitoring of remote access.

The Photon operating system must configure auditd to log to disk.

The vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.

VMware Postgres log files must contain required fields.

The Security Token Service must record user access in a format that enables monitoring of remote access.

The vCenter Lookup service must produce log records containing sufficient information regarding event details.

vSphere UI must record user access in a format that enables monitoring of remote access.

The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.

The Photon operating system must enable the auditd service.

The vCenter PostgreSQL service must produce logs containing sufficient information to establish what type of events occurred.

The vCenter STS service must produce log records containing sufficient information regarding event details.

The vCenter UI service must produce log records containing sufficient information regarding event details.

The vCenter VAMI service must produce log records containing sufficient information to establish what type of events occurred.

The web server must produce log records containing sufficient information to establish the source of events.

A web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

Ubuntu 22.04 LTS must have the "auditd" package installed.

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the source of the connection.

The F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.

The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call.

The F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

The OL 8 audit package must be installed.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

The NSX Distributed Firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.

The NSX Tier-0 Gateway Firewall must generate traffic log entries.