Skip to content
Log In

CCI-000135

Generate audit records containing the organization-defined additional information that is to be included in the audit records.

Enable audit Service

1 rule found Severity: High

Logo

Ensure All Accounts on the System Have Unique User IDs

26 rules found Severity: Medium

Logo

Ensure the audit Subsystem is Installed

34 rules found Severity: Medium

Logo

Enable auditd Service

36 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Exporting to Media (successful)

34 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - chmod

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - chown

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchmod

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchmodat

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchown

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchownat

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lchown

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - removexattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - setxattr

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - rename

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - renameat

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - rmdir

32 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - unlink

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - unlinkat

33 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - creat

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - ftruncate

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - open

28 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - open_by_handle_at

26 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - openat

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - truncate

27 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

27 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

28 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Loading - init_module

26 rules found Severity: Medium

Logo

Ensure the audit-libs package as a part of audit Subsystem is Installed

7 rules found Severity: Medium

Logo

Enable Auditing for Processes Which Start Prior to the Audit Daemon

22 rules found Severity: Low

Logo

Extend Audit Backlog Limit for the Audit Daemon

5 rules found Severity: Low

Logo

Record Events that Modify User/Group Information - /etc/group

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/gshadow

25 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/security/opasswd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/passwd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/shadow

26 rules found Severity: Medium

Logo

Record Any Attempts to Run chcon

21 rules found Severity: Medium

Logo

Record Any Attempts to Run setsebool

17 rules found Severity: Medium

Logo

Record Attempts to Alter Logon and Logout Events - lastlog

28 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - chage

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - mount

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown

12 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - su

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

23 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

19 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - umount

4 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

16 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers

11 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

10 rules found Severity: Medium

Logo

Record Any Attempts to Run chacl

18 rules found Severity: Medium

Logo

Record Any Attempts to Run setfacl

15 rules found Severity: Medium

Logo

Record Any Attempts to Run ssh-agent

14 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

10 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

18 rules found Severity: Medium

Logo

Ensure the libaudit1 package as a part of audit Subsystem is Installed

2 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd

3 rules found Severity: Medium

Logo

The A10 Networks ADC must have command auditing enabled.

1 rule found Severity: Low

Logo

The Arista Multilayer Switch must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Low

Logo

The DBN-6300 must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Low

Logo

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

1 rule found Severity: Medium

Logo

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

The FortiGate device must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The HP FlexFabric Switch must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Low

Logo

The HYCU Server must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

DB2 must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.

1 rule found Severity: Medium

Logo

The WebSphere Application Server audit event type filters must be configured.

1 rule found Severity: Medium

Logo

CA VM:Secure product must be installed and operating.

1 rule found Severity: Medium

Logo

SQL Server must include organization-defined additional, more detailed information in Trace or Audit records for events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands.

1 rule found Severity: Medium

Logo

Nutanix AOS must produce audit records containing the individual identities of group account users.

1 rule found Severity: Medium

Logo

Riverbed Optimization System (RiOS) must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

2 rules found Severity: Medium

Logo

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

2 rules found Severity: Medium

Logo

The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.

2 rules found Severity: Medium

Logo

PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

3 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the chage command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the su command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the umount command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.

1 rule found Severity: Medium

Logo

The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

2 rules found Severity: Medium

Logo

AccessLogValve must be configured per each virtual host.

1 rule found Severity: Medium

Logo

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

1 rule found Severity: Medium

Logo

The Arista network device must be configured to audit all administrator activity.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The Cisco switch must be configured to generate audit records containing the full-text recording of privileged commands.

3 rules found Severity: Medium

Logo

The Cisco ISE must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must be configured for centralized account management functions via LDAP.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.

1 rule found Severity: Medium

Logo

AIX must produce audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The WebSphere Liberty Server must log remote session and security activity.

1 rule found Severity: Medium

Logo

Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

1 rule found Severity: Medium

Logo

Audit logging must be enabled on MKE.

1 rule found Severity: Medium

Logo

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Azure SQL Database must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

Command line data must be included in process creation events.

3 rules found Severity: Medium

Logo

PowerShell script block logging must be enabled on Windows 11.

1 rule found Severity: Medium

Logo

PowerShell script block logging must be enabled.

1 rule found Severity: Medium

Logo

The network device must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the passwd command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the unix_chkpwd command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the gpasswd command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the chage command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the userhelper command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the mount command and syscall.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the umount command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the postdrop command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the postqueue command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the ssh-keysign command.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must audit all uses of the crontab command.

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must include additional, more detailed, organizationally defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

1 rule found Severity: High

Logo

Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.

1 rule found Severity: Medium

Logo

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chage" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for a uses of the "chsh" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "crontab" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "gpasswd" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "newgrp" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "passwd" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "su" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "sudo" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.

1 rule found Severity: Medium

Logo

SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

1 rule found Severity: High

Logo

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

1 rule found Severity: Medium

Logo

TOSS must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Record Any Attempts to Run semanage

13 rules found Severity: Medium

Logo

Record Any Attempts to Run setfiles

12 rules found Severity: Medium

Logo

The NixOS audit package must be installed.

1 rule found Severity: Medium

Logo

NixOS must generate audit records for all usage of privileged commands.

1 rule found Severity: Medium

Logo

NixOS must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.

1 rule found Severity: Medium

Logo

NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.

1 rule found Severity: Medium

Logo

NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.

1 rule found Severity: Medium

Logo

NixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.

1 rule found Severity: Medium

Logo

NixOS must generate audit records when concurrent logins to the same account occur from different sources.

1 rule found Severity: Medium

Logo

NixOS must generate audit records for all account creations, modifications, disabling, and termination events.

1 rule found Severity: Medium

Logo

The macOS system must enable security auditing.

2 rules found Severity: Medium

Logo

The application server must generate log records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

The application must implement transaction recovery logs when transaction based.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must have the "auditd" package installed.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

1 rule found Severity: Medium

Logo

The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.

2 rules found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

1 rule found Severity: Medium

Logo

The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

The audit package must be installed on AlmaLinux OS 9.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chacl" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chage" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chcon" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chsh" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "crontab" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the kmod command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "passwd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "su" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "sudo" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "semanage" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "usermod" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

The DBMS must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

The auditd service must be enabled on AlmaLinux OS 9.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must initiate session auditing upon startup.

1 rule found Severity: Medium

Logo

The operating system must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

The operating system must produce audit records containing the individual identities of group account users.

1 rule found Severity: Medium

Logo

AOS must audit the execution of privileged functions.

1 rule found Severity: Medium

Logo

The HYCU virtual appliance must generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

IBM RACF SETROPTS LOGOPTIONS must be properly configured.

1 rule found Severity: Medium

Logo

IBM z/OS Required SMF data record types must be collected.

1 rule found Severity: Medium

Logo

IBM z/OS must specify SMF data options to assure appropriate activation.

2 rules found Severity: Medium

Logo

The Juniper router must be configured to generate audit records containing the full-text recording of privileged commands.

1 rule found Severity: Medium

Logo

IBM z/OS required SMF data record types must be collected.

2 rules found Severity: Medium

Logo

IBM z/OS must specify SMF data options to ensure appropriate activation.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands.

1 rule found Severity: Low

Logo

The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

MariaDB must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

1 rule found Severity: Medium

Logo

Windows Server 2019 command line data must be included in process creation events.

1 rule found Severity: Medium

Logo

Windows Server 2019 PowerShell script block logging must be enabled.

1 rule found Severity: Medium

Logo

PowerShell script block logging must be enabled on Windows 10.

1 rule found Severity: Medium

Logo

Windows Server 2022 command line data must be included in process creation events.

1 rule found Severity: Medium

Logo

Windows Server 2022 PowerShell script block logging must be enabled.

1 rule found Severity: Medium

Logo

The OL 8 audit package must be installed.

1 rule found Severity: Medium

Logo

The configuration integrity of the container platform must be ensured and runtime policies must be configured.

1 rule found Severity: High

Logo

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

1 rule found Severity: Medium

Logo

OL 8 duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

1 rule found Severity: Medium

Logo

OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/shadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/passwd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/group".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "su" command.

1 rule found Severity: Medium

Logo

The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chage" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any uses of the "chcon" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "ssh-agent" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "passwd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "mount" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "umount" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "mount" syscall.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "unix_update" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "postdrop" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "postqueue" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "setsebool" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "unix_chkpwd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "setfacl" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "pam_timestamp_check" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "newgrp" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "gpasswd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the delete_module syscall.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "crontab" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chsh" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "sudo" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "usermod" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chacl" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "kmod" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any attempted modifications to the "faillock" log file.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any attempted modifications to the "lastlog" file.

1 rule found Severity: Medium

Logo

OL 8 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.

1 rule found Severity: Low

Logo

RHEL 9 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Low

Logo

RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

RHEL 9 audit package must be installed.

1 rule found Severity: Medium

Logo

RHEL 9 audit service must be enabled.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chacl command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setfacl command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chcon command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the semanage command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setfiles command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setsebool command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the delete_module system call.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the init_module and finit_module system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chage command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chsh command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the crontab command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the gpasswd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the kmod command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the newgrp command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the pam_timestamp_check command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the passwd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the postdrop command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the postqueue command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the ssh-agent command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the ssh-keysign command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the su command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the sudo command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the sudoedit command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the unix_chkpwd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the unix_update command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the userhelper command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the usermod command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the mount command.

1 rule found Severity: Medium

Logo

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

2 rules found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

1 rule found Severity: Medium

Logo

The VMM must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

1 rule found Severity: Medium

Logo

The Photon operating system must be configured to audit the execution of privileged functions.

3 rules found Severity: Medium

Logo

The Photon operating system must have the auditd service running.

1 rule found Severity: Medium

Logo

VMware Postgres log files must contain required fields.

1 rule found Severity: Medium

Logo

The Photon operating system must enable the auditd service.

2 rules found Severity: Medium

Logo

The vCenter PostgreSQL service must produce logs containing sufficient information to establish what type of events occurred.

2 rules found Severity: Medium

Logo

The NSX-T Distributed Firewall must generate traffic log entries containing information to establish the details of the event.

1 rule found Severity: Medium

Logo