CCI-000154

Provide the capability to centrally review and analyze audit records from multiple components within the system.

34 rules found Severity: Medium

36 rules found Severity: Medium

7 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

4 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

23 rules found Severity: Medium

24 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

CCI-000154

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Ensure the libaudit1 package as a part of audit Subsystem is Installed

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

Exchange must have Queue monitoring configured with threshold and action.

Exchange Queue monitoring must be configured with threshold and action.

Nutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.

Tanium must centrally review and analyze audit records from multiple components within the system.

Tanium must provide the capability to centrally review and analyze audit records from multiple components within the system.

The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis of audit records.

The MDM Agent must be configured to enable the following function: [selection: read audit logs of the MD]. This requirement is inherently met if the function is automatically implemented during MDM Agent install/device enrollment.

The macOS system must enable System Integrity Protection.

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

The macOS system must enable System Integrity Protection.

AIX must provide audit record generation functionality for DoD-defined auditable events.

MKE must be configured to send audit data to a centralized log server.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The SMS and TPS must provide log information in a format that can be extracted and used by centralized analysis tools.

The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis.

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

Ensure rsyslog is Installed

Set number of records to cause an explicit flush to audit logs

NixOS must have the packages required for offloading audit logs installed and running.

The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.

NixOS must authenticate the remote logging server for off-loading audit logs.

An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point.

The macOS system must ensure System Integrity Protection is enabled.

The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.

The application must provide the capability to centrally review and analyze audit records from multiple components within the system.

Ubuntu 22.04 LTS must have the "auditd" package installed.

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

The Central Log Server must be configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.

The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

The audit package must be installed on AlmaLinux OS 9.

AlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records.

The auditd service must be enabled on AlmaLinux OS 9.

Google Android 13 must be configured to enable audit logging.

Google Android 14 must be configured to enable audit logging.

Google Android 15 must be configured to enable audit logging.

The operating system must provide the capability to centrally review and analyze audit records from multiple components within the system.

The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.

The Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system.

Exchange queue monitoring must be configured with threshold and action.

The OL 8 audit package must be installed.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

Prisma Cloud Compute must be configured to send events to the hosts' syslog.

OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

RHEL 9 must have the rsyslog package installed.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The VMM must support the capability to centrally review and analyze audit records from multiple components within the system.

Remote logging for ESXi hosts must be configured.

Zebra Android 13 must be configured to enable audit logging.

Google Android 12 must be configured to enable audit logging.

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.