CCI-000158

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Ensure the libaudit1 package as a part of audit Subsystem is Installed

The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.

The Central Log Server must be configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

The Mainframe Products must provide the capability to filter audit records for events of interest as defined in site security plan.

Nutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.

The Tanium Connect module must be configured to forward Tanium IOC Detect events to identified destinations.

The Tanium Connect module must be configured to forward Tanium Detect events to identified destinations.

The Tanium applications must provide the capability to filter audit records for events of interest based upon organization-defined criteria.

The Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria.

The macOS system must enable System Integrity Protection.

The macOS system must enable System Integrity Protection.

The macOS system must ensure System Integrity Protection is enabled.

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.

AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.

The VMM must support the capability to filter audit records for events of interest based upon all audit fields within audit records.

Ubuntu 22.04 LTS must have the "auditd" package installed.

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

The Central Log Server must be configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.

The Central Log Server must be configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.

The OL 8 audit package must be installed.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.