Make the auditd Configuration Immutable
System Audit Logs Must Have Mode 0750 or Less Permissive
System Audit Logs Must Be Owned By Root
System Audit Logs Must Have Mode 0640 or Less Permissive
Configure immutable Audit login UIDs
System Audit Directories Must Be Group Owned By Root
System Audit Directories Must Be Owned By Root
System Audit Logs Must Be Group Owned By Root
Kubernetes Audit Logs Must Be Owned By Root
OAuth Audit Logs Must Be Owned By Root
OpenShift Audit Logs Must Be Owned By Root
The log information from the Apache web server must be protected from unauthorized deletion and modification.
The ALG must protect audit information from unauthorized modification.
The application server must protect log information from unauthorized modification.
The Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
The application must protect audit information from unauthorized modification.
The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification.
The Central Log Server must protect audit information from unauthorized modification.
The firewall must protect the traffic log from unauthorized modification of local log records.
The FortiGate firewall must protect the traffic log from unauthorized modification of local log records.
The HP FlexFabric Switch must protect audit information from unauthorized modification.
The audit information produced by DB2 must be protected from unauthorized modification.
The IBM Aspera Console must protect audit information from unauthorized read access.
IBM Aspera Faspex must protect audit information from unauthorized modification.
IBM Aspera Shares must protect audit information from unauthorized deletion.
The WebSphere Liberty Server must protect log information from unauthorized access or changes.
The WebSphere Application Server must protect log information from unauthorized modification.
CA VM:Secure product AUDIT file must be restricted to authorized personnel.
File permissions must be configured to protect log information from unauthorized modification.
The Juniper router must be configured to protect audit information from unauthorized modification.
The Mainframe Product must protect audit information from unauthorized modification.
The audit information produced by Azure SQL Database must be protected from unauthorized modification.
Exchange must have Audit data protected against unauthorized modification.
Exchange audit data must be protected against unauthorized access for modification.
Exchange must protect audit data against unauthorized access.
The audit information produced by SQL Server must be protected from unauthorized modification.
The network device must protect audit information from unauthorized modification.
Nutanix AOS must protect log information from any type of unauthorized access.
Nutanix AOS must protect audit information from unauthorized access.
The log information from OHS must be protected from unauthorized modification.
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
Riverbed Optimization System (RiOS) must protect audit information from unauthorized modification.
Splunk Enterprise installation directories must be secured.
Access to Tanium logs on each endpoint must be restricted by permissions.
The UEM server must protect audit information from unauthorized modification.
The VPN Gateway log must protect audit information from unauthorized modification when stored locally.
The log information from the Apache web server must be protected from unauthorized modification or deletion.
Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.
$CATALINA_BASE/conf folder permissions must be set to 750.
The macOS system must be configured with audit log folders set to mode 700 or less permissive.
The macOS system must configure audit log files to not contain access control lists.
The macOS system must configure audit log folders to not contain access control lists.
The macOS system must configure audit log files to be owned by root.
The macOS system must configure audit log folders to be owned by root.
The macOS system must configure audit log files group to wheel.
The macOS system must configure audit log folders group to wheel.
The macOS system must configure audit log files to mode 440 or less permissive.
The macOS system must configure audit log folders to mode 700 or less permissive.
The macOS system must be configured to audit all deletions of object attributes.
The macOS system must be configured to audit all changes of object attributes.
The macOS system must configure audit_control group to wheel.
The macOS system must configure audit_control owner to root.
The macOS system must configure audit_control to mode 440 or less permissive.
The macOS system must configure audit_control to not contain access control lists.
The macOS system must ensure System Integrity Protection is enabled.
The audit information produced by PostgreSQL must be protected from unauthorized modification.
The Ubuntu operating system must be configured so that audit log files cannot be read or write-accessible by unauthorized users.
The Ubuntu operating system must permit only authorized accounts ownership of the audit log files.
The Ubuntu operating system must permit only authorized groups to own the audit log files.
The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users.
The Cisco router must be configured to protect audit information from unauthorized modification.
The Cisco switch must be configured to protect audit information from unauthorized modification.
The audit information produced by the DBMS must be protected from unauthorized modification.
The container platform must protect audit information from unauthorized modification.
The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized modification.
The operating system must protect audit information from unauthorized modification.
Audit logs on the AIX system must be owned by root.
Audit logs on the AIX system must be group-owned by system.
Audit logs on the AIX system must be set to 660 or less permissive.
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
The Juniper EX switch must be configured to protect audit information from unauthorized modification.
The audit information produced by MarkLogic Server must be protected from unauthorized modification.
The audit information produced by MariaDB must be protected from unauthorized modification.
The audit information produced by MongoDB must be protected from unauthorized read access.
The audit information produced by MongoDB must be protected from unauthorized access.
The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.
Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.
Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.
Windows 10 permissions for the System event log must prevent access by non-privileged accounts.
The Manage auditing and security log user right must only be assigned to the Administrators group.
Permissions for the Application event log must prevent access by non-privileged accounts.
Permissions for the Security event log must prevent access by non-privileged accounts.
Permissions for the System event log must prevent access by non-privileged accounts.
Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.
Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts.
Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts.
Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.
The DBMS must protect audit information from unauthorized modification.
The system must protect audit information from unauthorized modification.
The Oracle Linux operating system must protect audit information from unauthorized read, modification, or deletion.
OL 8 audit logs must have a mode of "0600" or less permissive to prevent unauthorized read access.
OL 8 audit logs must be owned by root to prevent unauthorized read access.
OL 8 audit logs must be group-owned by root to prevent unauthorized read access.
The OL 8 audit log directory must be owned by root to prevent unauthorized read access.
The OL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
The OL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
The OL 8 audit system must protect auditing rules from unauthorized change.
The OL 8 audit system must protect logon UIDs from unauthorized change.
The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized modification.
Automation Controller's log files must be accessible by explicitly defined privilege.
The audit information produced by Redis Enterprise DBMS must be protected from unauthorized modification.
OpenShift must protect audit information from unauthorized modification.
The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.
The SUSE operating system must protect audit rules from unauthorized modification.
RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
RHEL 9 audit system must protect logon UIDs from unauthorized change.
RHEL 9 audit system must protect auditing rules from unauthorized change.
The operating system must protect audit information from unauthorized access.
The VMM must protect audit information from unauthorized modification.
Remote logging for ESXi hosts must be configured.
VAMI log files must only be accessible by privileged users.
Performance Charts log files must only be modifiable by privileged users.
ESX Agent Manager log files must only be modifiable by privileged users.
Lookup Service log files must only be accessible by privileged users.
The Photon operating system audit log must be owned by root.
The vCenter ESX Agent Manager service logs folder permissions must be set correctly.
The VMware Postgres database must protect log files from unauthorized access and modification.
Security Token Service log files must only be modifiable by privileged users.
The vCenter Lookup service logs folder permissions must be set correctly.
vSphere UI log files must only be accessible by privileged users.
The vCenter Perfcharts service logs folder permissions must be set correctly.
The Photon operating system must protect audit logs from unauthorized access.
The vCenter PostgreSQL service must be configured to protect log files from unauthorized access.
The vCenter STS service logs folder permissions must be set correctly.
The vCenter UI service must protect logs from unauthorized access.
The vCenter VAMI service log files must only be accessible by privileged users.
The log information from the web server must be protected from unauthorized modification.
The BIG-IP appliance must be configured to protect audit information from unauthorized modification.
The BIG-IP Core implementation must be configured to protect audit information from unauthorized modification.
The macOS system must configure audit log files to not contain access control lists (ACLs).
The macOS system must configure the audit log folder to not contain access control lists (ACLs).
The macOS system must configure the audit log files group to wheel.
The macOS system must configure the audit log folders group to wheel.
The macOS system must be configured to audit all failed read actions on the system.
The macOS system must be configured to audit all failed write actions on the system.
The macOS system must configure audit_control owner to mode 440 or less permissive.
The macOS system must configure audit_control to not contain access control lists (ACLs).
Ubuntu 22.04 LTS must be configured so that audit log files are not read- or write-accessible by unauthorized users.
Ubuntu 22.04 LTS must be configured to permit only authorized users ownership of the audit log files.
Ubuntu 22.04 LTS must permit only authorized groups ownership of the audit log files.
The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized modification.
SLEM 5 must protect audit rules from unauthorized modification.
TOSS audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
TOSS audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
TOSS audit logs must be owned by user root to prevent unauthorized read access.
TOSS audit logs must be owned by group root to prevent unauthorized read access.
TOSS audit log directory must be owned by user root to prevent unauthorized read access.
TOSS audit log directory must be owned by group root to prevent unauthorized read access.
The TOSS audit system must protect auditing rules from unauthorized change.
The TOSS audit system must protect logon UIDs from unauthorized change.
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.