CCI-000139

Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.

31 rules found Severity: Medium

14 rules found Severity: Medium

34 rules found Severity: Medium

31 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

22 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

CCI-000139

Configure auditd mail_acct Action on Low Disk Space

Shutdown System When Auditing Failures Occur

Configure System to Forward All Mail For The Root Account

Configure System to Forward All Mail From Postmaster to The Root Account

The A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.

The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

CounterACT must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.

The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.

The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The WebSphere Application Server audit subsystem failure action must be set to Log warning.

The Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

Nutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO.

Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.

Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.

Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.

Riverbed Optimization System (RiOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The SEL-2740S must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Tanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Tanium application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Tanium operating system (TanOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.

The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. This is required for compliance with C2C Step 1.

The Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.

SSMC web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

The HPE 3PAR OS must be configured to send SNMP alerts to alert in the event of an audit processing failure.

AIX must be configured to generate an audit record when 75% of the audit file system is full.

The ISEC7 SPHERE must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

The Ivanti EPMM server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.

The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.

The Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.

TOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

The Postfix package is installed

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.

NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.

AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.

The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.

The Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.

The macOS system must configure audit capacity warning.

The ALG must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Ubuntu 22.04 LTS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure.

AlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

AlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

The Dragos Platform must have notification and audit services installed.

Forescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. This is required for compliance with C2C Step 1.

The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.

The Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.

The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.

The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

The OL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.

The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.

RHEL 9 must forward mail from postmaster to the root account using a postfix alias.

RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.

The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.

RHEL 9 must take appropriate action when a critical audit processing failure occurs.

The operating system must alert designated organizational officials in the event of an audit processing failure.

The VMM must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.