Capacity
CCI-000135
Generate audit records containing the organization-defined additional information that is to be included in the audit records.
1
Rule
Severity: High
Enable audit Service
21
Rule
Severity: Medium
Ensure All Accounts on the System Have Unique User IDs
29
Rule
Severity: Medium
Ensure the audit Subsystem is Installed
30
Rule
Severity: Medium
Enable auditd Service
29
Rule
Severity: Medium
Ensure auditd Collects Information on Exporting to Media (successful)
29
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmodat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchownat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - removexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - setxattr
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rename
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - renameat
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rmdir
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlink
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlinkat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - creat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - ftruncate
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open
24
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open_by_handle_at
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - openat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - truncate
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading - init_module
3
Rule
Severity: Medium
Ensure the audit-libs package as a part of audit Subsystem is Installed
19
Rule
Severity: Low
Enable Auditing for Processes Which Start Prior to the Audit Daemon
17
Rule
Severity: Low
Extend Audit Backlog Limit for the Audit Daemon
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
17
Rule
Severity: Medium
Record Any Attempts to Run chcon
14
Rule
Severity: Medium
Record Any Attempts to Run setsebool
23
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - lastlog
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chage
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - mount
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
11
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - su
18
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - umount
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
8
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers
7
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
14
Rule
Severity: Medium
Record Any Attempts to Run chacl
11
Rule
Severity: Medium
Record Any Attempts to Run setfacl
11
Rule
Severity: Medium
Record Any Attempts to Run ssh-agent
8
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
2
Rule
Severity: Medium
Ensure the libaudit1 package as a part of audit Subsystem is Installed
1
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd
1
Rule
Severity: Low
The A10 Networks ADC must have command auditing enabled.
1
Rule
Severity: Low
The Arista Multilayer Switch must generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The application server must generate log records containing the full-text recording of privileged commands or the individual identities of group account users.
2
Rule
Severity: Medium
The Arista network device must be configured to audit all administrator activity.
2
Rule
Severity: Medium
The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
2
Rule
Severity: Medium
The application must implement transaction recovery logs when transaction based.
1
Rule
Severity: Low
The DBN-6300 must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Medium
The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
1
Rule
Severity: Medium
The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.
1
Rule
Severity: Medium
The FortiGate device must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Low
The HP FlexFabric Switch must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Medium
The HYCU Server must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Medium
DB2 must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
1
Rule
Severity: Medium
The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.
2
Rule
Severity: Medium
The WebSphere Liberty Server must log remote session and security activity.
1
Rule
Severity: Medium
The WebSphere Application Server audit event type filters must be configured.
1
Rule
Severity: Medium
CA VM:Secure product must be installed and operating.
2
Rule
Severity: Medium
The Juniper router must be configured to generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Low
The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
2
Rule
Severity: Medium
Azure SQL Database must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
1
Rule
Severity: Medium
SQL Server must include organization-defined additional, more detailed information in Trace or Audit records for events identified by type, location, or subject.
2
Rule
Severity: Medium
The network device must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands.
1
Rule
Severity: Medium
Nutanix AOS must produce audit records containing the individual identities of group account users.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and runtime policies must be configured.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.
2
Rule
Severity: Medium
Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
1
Rule
Severity: High
The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.
2
Rule
Severity: Medium
AccessLogValve must be configured per each virtual host.
1
Rule
Severity: Medium
The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.
3
Rule
Severity: Medium
The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.
3
Rule
Severity: Medium
The macOS system must enable security auditing.
3
Rule
Severity: Medium
The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
4
Rule
Severity: Medium
PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands.
4
Rule
Severity: Medium
The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.
6
Rule
Severity: Medium
The Cisco switch must be configured to generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The DBMS must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
The Cisco ISE must generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
The operating system must generate audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
The operating system must produce audit records containing the individual identities of group account users.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured for centralized account management functions via LDAP.
2
Rule
Severity: Medium
The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.
2
Rule
Severity: Medium
AIX must produce audit records containing the full-text recording of privileged commands.
2
Rule
Severity: Medium
IBM z/OS Required SMF data record types must be collected.
4
Rule
Severity: Medium
IBM z/OS must specify SMF data options to assure appropriate activation.
2
Rule
Severity: Medium
IBM RACF SETROPTS LOGOPTIONS must be properly configured.
4
Rule
Severity: Medium
IBM z/OS required SMF data record types must be collected.
2
Rule
Severity: Medium
IBM z/OS must specify SMF data options to ensure appropriate activation.
2
Rule
Severity: Medium
Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
2
Rule
Severity: Medium
MariaDB must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
2
Rule
Severity: Medium
SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
6
Rule
Severity: Medium
Command line data must be included in process creation events.
2
Rule
Severity: Medium
PowerShell script block logging must be enabled on Windows 10.
2
Rule
Severity: Medium
PowerShell script block logging must be enabled on Windows 11.
2
Rule
Severity: Medium
PowerShell script block logging must be enabled.
2
Rule
Severity: Medium
Windows Server 2019 command line data must be included in process creation events.
2
Rule
Severity: Medium
Windows Server 2019 PowerShell script block logging must be enabled.
2
Rule
Severity: Medium
Windows Server 2022 command line data must be included in process creation events.
2
Rule
Severity: Medium
Windows Server 2022 PowerShell script block logging must be enabled.
2
Rule
Severity: Medium
OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
3
Rule
Severity: Medium
The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the passwd command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the unix_chkpwd command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the gpasswd command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the chage command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the userhelper command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the mount command and syscall.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the umount command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the postdrop command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the postqueue command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the ssh-keysign command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the crontab command.
2
Rule
Severity: Medium
OL 8 duplicate User IDs (UIDs) must not exist for interactive users.
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/shadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/passwd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/group".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "su" command.
2
Rule
Severity: Medium
The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chage" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any uses of the "chcon" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "ssh-agent" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "passwd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "mount" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "umount" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "mount" syscall.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "unix_update" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "postdrop" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "postqueue" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "setsebool" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "unix_chkpwd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "ssh-keysign" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "setfacl" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "pam_timestamp_check" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "newgrp" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "gpasswd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the delete_module syscall.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "crontab" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chsh" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "sudo" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "usermod" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chacl" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "kmod" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any attempted modifications to the "faillock" log file.
2
Rule
Severity: Medium
OL 8 must generate audit records for any attempted modifications to the "lastlog" file.
2
Rule
Severity: Medium
OL 8 must enable auditing of processes that start prior to the audit daemon.
2
Rule
Severity: Low
OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must include additional, more detailed, organizationally defined information in the audit records for audit events identified by type, location, or subject.
2
Rule
Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the chage command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the su command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the umount command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.
2
Rule
Severity: Low
RHEL 9 must enable auditing of processes that start prior to the audit daemon.
4
Rule
Severity: Medium
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
2
Rule
Severity: Medium
RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
2
Rule
Severity: Medium
RHEL 9 audit package must be installed.
2
Rule
Severity: Medium
RHEL 9 audit service must be enabled.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chacl command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setfacl command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chcon command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the semanage command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setfiles command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setsebool command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the delete_module system call.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the init_module and finit_module system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chage command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chsh command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the crontab command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the gpasswd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the kmod command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the newgrp command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the pam_timestamp_check command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the passwd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the postdrop command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the postqueue command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the ssh-agent command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the ssh-keysign command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the su command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the sudo command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the sudoedit command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the unix_chkpwd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the unix_update command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the userhelper command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the usermod command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the mount command.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
2
Rule
Severity: Medium
The VMM must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
4
Rule
Severity: Medium
The Photon operating system must be configured to audit the execution of privileged functions.
1
Rule
Severity: Medium
The Photon operating system must have the auditd service running.
1
Rule
Severity: Medium
VMware Postgres log files must contain required fields.
3
Rule
Severity: Medium
The Photon operating system must enable the auditd service.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must produce logs containing sufficient information to establish what type of events occurred.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have the "auditd" package installed.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
1
Rule
Severity: Medium
Audit logging must be enabled on MKE.
1
Rule
Severity: Medium
MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.
1
Rule
Severity: Medium
The OL 8 audit package must be installed.
1
Rule
Severity: Medium
SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chage" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for a uses of the "chsh" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "crontab" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "gpasswd" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "newgrp" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "passwd" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "su" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "sudo" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.
1
Rule
Severity: Medium
SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.
1
Rule
Severity: High
The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.
1
Rule
Severity: Medium
TOSS must generate audit records containing the full-text recording of privileged commands.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules