CCI-000139

Configure auditd mail_acct Action on Low Disk Space

Shutdown System When Auditing Failures Occur

Configure System to Forward All Mail For The Root Account

Configure System to Forward All Mail From Postmaster to The Root Account

The A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.

The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.

The Apache web server must use a logging mechanism that is configured to alert the (ISSO) and System Administrator (SA) in the event of a processing failure.

The ALG must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

CounterACT must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

Forescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. This is required for compliance with C2C Step 1.

SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.

The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.

The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The WebSphere Application Server audit subsystem failure action must be set to Log warning.

The Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.

The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.

The Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.

Nutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO.

Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.

Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.

Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.

Riverbed Optimization System (RiOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The SEL-2740S must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Tanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.

The Tanium application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Tanium operating system (TanOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.

The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

The macOS system must configure audit capacity warning.

The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. This is required for compliance with C2C Step 1.

The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

SSMC web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

The HPE 3PAR OS must be configured to send SNMP alerts to alert in the event of an audit processing failure.

AIX must be configured to generate an audit record when 75% of the audit file system is full.

IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.

Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.

Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.

The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

The OL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.

The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.

The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.

The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.

RHEL 9 must forward mail from postmaster to the root account using a postfix alias.

RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

RHEL 9 must take appropriate action when a critical audit processing failure occurs.

The operating system must alert designated organizational officials in the event of an audit processing failure.

The VMM must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Lookup Service log files must be offloaded to a central log server in real time.

The Photon operating system audit log must log space limit problems to syslog.

vSphere UI log files must be moved to a permanent repository in accordance with site policy.

The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.

The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.

Ubuntu 22.04 LTS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure.

The Dragos Platform must have notification and audit services installed.

The Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure.

The ISEC7 SPHERE must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

The Ivanti EPMM server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.

The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.

TOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.