Skip to content
Log In

CCI-000169

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a. on organization-defined information system components.

Ensure the audit Subsystem is Installed

34 rules found Severity: Medium

Logo

Enable auditd Service

36 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Exporting to Media (successful)

34 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - chmod

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - chown

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchmod

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchmodat

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchown

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fchownat

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lchown

34 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - removexattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - setxattr

33 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - umount

31 rules found Severity: Medium

Logo

Record Events that Modify the System's Discretionary Access Controls - umount2

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - rename

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - renameat

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - rmdir

32 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - unlink

33 rules found Severity: Medium

Logo

Ensure auditd Collects File Deletion Events by User - unlinkat

33 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - creat

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - ftruncate

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - open

28 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - open_by_handle_at

26 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - openat

27 rules found Severity: Medium

Logo

Record Unsuccessful Access Attempts to Files - truncate

27 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

27 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

28 rules found Severity: Medium

Logo

Ensure auditd Collects Information on Kernel Module Loading - init_module

26 rules found Severity: Medium

Logo

Record attempts to alter time through adjtimex

34 rules found Severity: Medium

Logo

Ensure the audit-libs package as a part of audit Subsystem is Installed

7 rules found Severity: Medium

Logo

Record Attempts to Alter Time Through clock_settime

34 rules found Severity: Medium

Logo

Record attempts to alter time through settimeofday

33 rules found Severity: Medium

Logo

Record Attempts to Alter Time Through stime

33 rules found Severity: Medium

Logo

Record Attempts to Alter the localtime File

33 rules found Severity: Medium

Logo

Enable Auditing for Processes Which Start Prior to the Audit Daemon

22 rules found Severity: Low

Logo

Extend Audit Backlog Limit for the Audit Daemon

5 rules found Severity: Low

Logo

Record Events that Modify User/Group Information - /etc/group

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/gshadow

25 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/security/opasswd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/passwd

26 rules found Severity: Medium

Logo

Record Events that Modify User/Group Information - /etc/shadow

26 rules found Severity: Medium

Logo

Record Any Attempts to Run chcon

21 rules found Severity: Medium

Logo

Record Any Attempts to Run semanage

17 rules found Severity: Medium

Logo

Record Any Attempts to Run setfiles

16 rules found Severity: Medium

Logo

Record Any Attempts to Run setsebool

17 rules found Severity: Medium

Logo

Record Attempts to Alter Logon and Logout Events - lastlog

28 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - chage

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - insmod

13 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - modprobe

13 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - mount

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

18 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

13 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - su

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

23 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

19 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - umount

19 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

20 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

16 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers

11 rules found Severity: Medium

Logo

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

10 rules found Severity: Medium

Logo

Record Any Attempts to Run chacl

18 rules found Severity: Medium

Logo

Record Any Attempts to Run setfacl

15 rules found Severity: Medium

Logo

Record Any Attempts to Run ssh-agent

14 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

10 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

18 rules found Severity: Medium

Logo

Log USBGuard daemon audit events using Linux Audit

10 rules found Severity: Low

Logo

Ensure the libaudit1 package as a part of audit Subsystem is Installed

2 rules found Severity: Medium

Logo

Record Any Attempts to Run chmod

3 rules found Severity: Medium

Logo

Record Any Attempts to Run rm

3 rules found Severity: Medium

Logo

Record Attempts to Alter Logon and Logout Events - faillog

4 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - chfn

5 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - passmass

2 rules found Severity: Medium

Logo

Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd

3 rules found Severity: Medium

Logo

The Akamai Luna Portal must provide audit record generation capability for DoD-defined auditable events within the network device.

1 rule found Severity: Low

Logo

The DBN-6300 must generate log events for detection events based on anomaly analysis.

1 rule found Severity: Medium

Logo

The DBN-6300 must provide audit record generation capability for DoD-defined auditable events within the DBN-6300.

1 rule found Severity: Medium

Logo

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

1 rule found Severity: Medium

Logo

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

The FortiGate device must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

Google Android 12 must be configured to generate audit records for the following auditable events: detected integrity violations.

2 rules found Severity: Medium

Logo

The HP FlexFabric Switch must provide audit record generation capability for DoD-defined auditable events within the HP FlexFabric Switch.

1 rule found Severity: Low

Logo

The HYCU server must generate audit records for privileged activities or other system-level access.

1 rule found Severity: Medium

Logo

The DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.

1 rule found Severity: Medium

Logo

DB2 must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must generate log records for access and authentication events.

1 rule found Severity: Medium

Logo

The MaaS360 MDM server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): a. Failure to push a new application on a managed mobile device.

1 rule found Severity: Low

Logo

The MaaS360 server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): b. Failure to update an existing application on a managed mobile device.

1 rule found Severity: Low

Logo

The MaaS360 MDM Agent must be configured to implement the management setting: periodicity of reachability events equals six hours or less.

1 rule found Severity: Medium

Logo

The WebSphere Application Server audit event type filters must be configured.

1 rule found Severity: Medium

Logo

CA VM:Secure product must be installed and operating.

1 rule found Severity: Medium

Logo

Microsoft Android 11 must be configured to generate audit records for the following auditable events: Detected integrity violations.

2 rules found Severity: Medium

Logo

Motorola Solutions Android 11 must be configured to generate audit records for the following auditable events: Detected integrity violations.

1 rule found Severity: Low

Logo

Exchange Email Diagnostic log level must be set to lowest level.

1 rule found Severity: Medium

Logo

Exchange must have Audit record parameters set.

1 rule found Severity: Low

Logo

The Exchange email Diagnostic log level must be set to the lowest level.

2 rules found Severity: Medium

Logo

Exchange Connectivity logging must be enabled.

4 rules found Severity: Medium

Logo

The Exchange Email Diagnostic log level must be set to the lowest level.

2 rules found Severity: Medium

Logo

Exchange Audit record parameters must be set.

2 rules found Severity: Low

Logo

SQL Server must generate Trace or Audit records for organization-defined auditable events.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server log must be enabled.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system and account management actions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file attribute management actions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system module management actions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for directory and permissions management actions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file management actions.

1 rule found Severity: Medium

Logo

Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for all account creations, modifications, disabling, and terminations.

1 rule found Severity: Medium

Logo

Nutanix AOS must be configured to audit the loading and unloading of dynamic kernel modules.

1 rule found Severity: Medium

Logo

OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.

1 rule found Severity: Medium

Logo

OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.

1 rule found Severity: Medium

Logo

OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.

1 rule found Severity: Medium

Logo

OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

Riverbed Optimization System (RiOS) must provide audit record generation capability for DoD-defined auditable events within the network device.

1 rule found Severity: Medium

Logo

Symantec ProxySG must enable event access logging.

1 rule found Severity: Medium

Logo

The Tanium operating system (TanOS) must offload audit records onto a different system or media than the system being audited.

2 rules found Severity: Medium

Logo

The NSX-T Manager must generate log records for the info level to capture the DoD-required auditable events.

1 rule found Severity: Medium

Logo

The Horizon Connection Server must be configured with an events database.

1 rule found Severity: Medium

Logo

The macOS system must enable System Integrity Protection.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

2 rules found Severity: Medium

Logo

Configuring History setting must be set to 40 days.

1 rule found Severity: Medium

Logo

Browser must retain history on exit.

1 rule found Severity: Medium

Logo

Deleting websites that the user has visited must be disallowed.

1 rule found Severity: Medium

Logo

The DBMS must provide audit record generation capability for organization-defined auditable events within the database.

2 rules found Severity: Medium

Logo

PostgreSQL must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Zebra Android 11 must be configured to generate audit records for the following auditable events: Detected integrity violations.

1 rule found Severity: Low

Logo

The EDB Postgres Advanced Server must be configured to provide audit record generation capability for DoD-defined auditable events within all EDB Postgres Advanced Server/database components.

1 rule found Severity: Medium

Logo

AccessLogValve must be configured for each application context.

1 rule found Severity: Medium

Logo

Tomcat servers behind a proxy or load balancer must log client IP.

1 rule found Severity: Medium

Logo

The macOS system must enable System Integrity Protection.

1 rule found Severity: High

Logo

The Arista network device must be configured to capture all DOD auditable events.

1 rule found Severity: Medium

Logo

A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.

1 rule found Severity: Low

Logo

The BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.

1 rule found Severity: Low

Logo

IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.

1 rule found Severity: High

Logo

IDMS must use the ESM to generate auditable records for commands and utilities when DoD-defined auditable events occur.

1 rule found Severity: High

Logo

PostgreSQL must be configured to provide audit record generation for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

PostgreSQL must provide audit record generation capability for DOD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to log events based on policy access control rules, signatures, and anomaly analysis.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to send log records to the syslog server for specific facility and severity level.

1 rule found Severity: Medium

Logo

The Cisco ISE must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

The DNS server implementation must be configured to provide audit record generation capability for DoD-defined auditable events within all DNS server components.

2 rules found Severity: Medium

Logo

The EDB Postgres Advanced Server must provide audit record generation capability for DOD-defined auditable events within all EDB Postgres Advanced Server/database components.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Endpoint must be configured to provide session (call detail) record generation capability.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

1 rule found Severity: Medium

Logo

Extensions installation must be blocklisted by default.

1 rule found Severity: Medium

Logo

Deletion of browser history must be disabled.

1 rule found Severity: Medium

Logo

Prompt for download location must be enabled.

1 rule found Severity: Medium

Logo

Download restrictions must be configured.

1 rule found Severity: Medium

Logo

Chrome Cleanup must be disabled.

1 rule found Severity: Medium

Logo

Chrome Cleanup reporting must be disabled.

1 rule found Severity: Medium

Logo

SSMC must provide audit record generation capability for DOD-defined auditable events for all operating system components.

1 rule found Severity: Low

Logo

SSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

AIX must provide audit record generation functionality for DoD-defined auditable events.

1 rule found Severity: Medium

Logo

The ESCON Director Application Console Event log must be enabled.

1 rule found Severity: High

Logo

The Hardware Management Console Event log must be active.

1 rule found Severity: Medium

Logo

The WebSphere Liberty Server must log remote session and security activity.

1 rule found Severity: Medium

Logo

The JBoss server must generate log records for access and authentication events to the management interface.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

MarkLogic Server must be configured to provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Audit logging must be enabled on MKE.

1 rule found Severity: Medium

Logo

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

The Azure SQL Database must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Audit policy using subcategories must be enabled.

3 rules found Severity: Medium

Logo

The Windows DNS Server log must be enabled.

1 rule found Severity: Medium

Logo

The network device must generate log records for a locally developed list of auditable events

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must be configured to provide audit record generation capability for DoD-defined auditable events within all database components.

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must generate audit records for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chacl" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chage" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chcon" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chfn" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chmod" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for a uses of the "chsh" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "crontab" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "gpasswd" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "insmod" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "kmod" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "modprobe" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "newgrp" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "passwd" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "rm" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "rmmod" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "setfacl" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "ssh-agent" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "su" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "sudo" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "sudoedit" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "usermod" command.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "delete_module" system call.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "mount" system call.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all uses of the "umount" system call.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all modifications to the "lastlog" file.

1 rule found Severity: Medium

Logo

SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record.

1 rule found Severity: Medium

Logo

Splunk Enterprise must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.

1 rule found Severity: Medium

Logo

The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.

1 rule found Severity: Medium

Logo

The TPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

1 rule found Severity: High

Logo

Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.

1 rule found Severity: Medium

Logo

The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

1 rule found Severity: Medium

Logo

Include Local Events in Audit Logs

24 rules found Severity: Medium

Logo

NixOS must generate audit records for all usage of privileged commands.

1 rule found Severity: Medium

Logo

AAA Services must be configured to audit each authentication and authorization transaction.

1 rule found Severity: Medium

Logo

The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

2 rules found Severity: Medium

Logo

The macOS system must ensure System Integrity Protection is enabled.

2 rules found Severity: High

Logo

The application server must generate log records for access and authentication events.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for the creation of session IDs.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for the destruction of session IDs.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for the renewal of session IDs.

1 rule found Severity: Medium

Logo

The application must not write sensitive data into the application logs.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for session timeouts.

1 rule found Severity: Medium

Logo

The application must record a time stamp indicating when the event occurred.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.

1 rule found Severity: Medium

Logo

The application must provide audit record generation capability for connecting system IP addresses.

1 rule found Severity: Medium

Logo

The application must record the username or user ID of the user associated with the event.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must have the "auditd" package installed.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

1 rule found Severity: Medium

Logo

The Central Log Server must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

1 rule found Severity: Medium

Logo

The container platform must generate audit records for all DoD-defined auditable events within all components in the platform.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 audit system must audit local events.

1 rule found Severity: Medium

Logo

The audit package must be installed on AlmaLinux OS 9.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "mount" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "umount" command.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chacl" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chage" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chcon" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "chsh" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "crontab" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the kmod command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "passwd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "su" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "sudo" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "semanage" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must generate audit records for any use of the "usermod" command.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

The DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

The auditd service must be enabled on AlmaLinux OS 9.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

Google Android 13 must be configured to generate audit records for the following auditable events: Detected integrity violations.

2 rules found Severity: Medium

Logo

Forescout must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

Google Android 14 must be configured to generate audit records for the following auditable events: Detected integrity violations.

2 rules found Severity: Medium

Logo

Google Android 15 must be configured to generate audit records for the following auditable events: Detected integrity violations.

2 rules found Severity: Medium

Logo

The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components.

1 rule found Severity: Medium

Logo

AOS must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

The HYCU virtual appliance must generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

The IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.

1 rule found Severity: Medium

Logo

The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.

1 rule found Severity: Medium

Logo

The IDPS must provide audit record generation with a configurable severity and escalation level capability.

1 rule found Severity: Medium

Logo

The Juniper router must be configured to generate log records for a locally developed list of auditable events.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must provide audit record generation capability for detecting events based on implementation of policy filters, rules, and signatures.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must provide audit record generation with a configurable severity and escalation level capability.

1 rule found Severity: Medium

Logo

The Mainframe Product must provide audit record generation capability for DoD-defined auditable events within all application components.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.

1 rule found Severity: Medium

Logo

MariaDB must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

The Exchange email diagnostic log level must be set to the lowest level.

2 rules found Severity: Medium

Logo

Exchange connectivity logging must be enabled.

2 rules found Severity: Medium

Logo

Exchange audit record parameters must be set.

1 rule found Severity: Low

Logo

SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.

1 rule found Severity: Medium

Logo

Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.

1 rule found Severity: Medium

Logo

Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings.

1 rule found Severity: Medium

Logo

The OL 8 audit package must be installed.

1 rule found Severity: Medium

Logo

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

1 rule found Severity: Medium

Logo

OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/shadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/passwd".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creation events that affect "/etc/group".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "su" command.

1 rule found Severity: Medium

Logo

The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chage" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any uses of the "chcon" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "ssh-agent" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "passwd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "mount" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "umount" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "mount" syscall.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "unix_update" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "postdrop" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "postqueue" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "semanage" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "setfiles" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "userhelper" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "setsebool" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "unix_chkpwd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "ssh-keysign" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "setfacl" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "pam_timestamp_check" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "newgrp" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "gpasswd" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the delete_module syscall.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "crontab" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chsh" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "sudo" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "usermod" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "chacl" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any use of the "kmod" command.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any attempted modifications to the "faillock" log file.

1 rule found Severity: Medium

Logo

OL 8 must generate audit records for any attempted modifications to the "lastlog" file.

1 rule found Severity: Medium

Logo

OL 8 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Medium

Logo

OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.

1 rule found Severity: Low

Logo

RHEL 9 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Low

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.

1 rule found Severity: Medium

Logo

The RHEL 8 audit package must be installed.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.

1 rule found Severity: Medium

Logo

RHEL 8 must enable auditing of processes that start prior to the audit daemon.

1 rule found Severity: Low

Logo

RHEL 8 must enable Linux audit logging for the USBGuard daemon.

1 rule found Severity: Low

Logo

RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

1 rule found Severity: Medium

Logo

RHEL 9 must enable Linux audit logging for the USBGuard daemon.

1 rule found Severity: Low

Logo

RHEL 9 audit package must be installed.

1 rule found Severity: Medium

Logo

RHEL 9 audit service must be enabled.

1 rule found Severity: Medium

Logo

RHEL 9 audit system must audit local events.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of umount system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chacl command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setfacl command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chcon command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the semanage command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setfiles command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the setsebool command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the delete_module system call.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the init_module and finit_module system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chage command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the chsh command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the crontab command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the gpasswd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the kmod command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the newgrp command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the pam_timestamp_check command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the passwd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the postdrop command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the postqueue command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the ssh-agent command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the ssh-keysign command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the su command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the sudo command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the sudoedit command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the unix_chkpwd command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the unix_update command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the userhelper command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the usermod command.

1 rule found Severity: Medium

Logo

RHEL 9 must audit all uses of the mount command.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the su command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the sudo command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the chfn command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the mount command.

1 rule found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the umount command.

1 rule found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the ssh-agent command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the ssh-keysign command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the kmod command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.

1 rule found Severity: Medium

Logo

Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

1 rule found Severity: Medium

Logo

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the passwd command.

1 rule found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the gpasswd command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the newgrp command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for a uses of the chsh command.

2 rules found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the chmod command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the setfacl command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chacl command.

2 rules found Severity: Medium

Logo

Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the rm command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all modifications to the lastlog file.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the passmass command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chage command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the usermod command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the crontab command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.

2 rules found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the delete_module command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all modifications to the faillog file.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the passwd command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.

1 rule found Severity: Medium

Logo

The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the sudoedit command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the mount system call.

1 rule found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the umount system call.

1 rule found Severity: Low

Logo

The SUSE operating system must generate audit records for all uses of the insmod command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the rmmod command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the modprobe command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the chcon command.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the delete_module system call.

1 rule found Severity: Medium

Logo

The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.

1 rule found Severity: Medium

Logo

The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.

2 rules found Severity: Medium

Logo

The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.

2 rules found Severity: Medium

Logo

The audit system must be configured to audit all discretionary access control permission modifications.

2 rules found Severity: Medium

Logo

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

2 rules found Severity: Medium

Logo

The UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.

1 rule found Severity: Medium

Logo

The UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server.

1 rule found Severity: Medium

Logo

The UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device.

1 rule found Severity: Medium

Logo

The VMM must provide audit record generation capability for DoD-defined auditable events for all VMM components.

1 rule found Severity: Medium

Logo

The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.

1 rule found Severity: Medium

Logo

The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.

1 rule found Severity: Medium

Logo

The NSX Manager must configure logging levels for services to ensure audit records are generated.

1 rule found Severity: Medium

Logo

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

1 rule found Severity: Medium

Logo

ESX Agent Manager must generate log records for system startup and shutdown.

1 rule found Severity: Medium

Logo

VAMI must generate log records for system startup and shutdown.

1 rule found Severity: Medium

Logo

Lookup Service must generate log records for system startup and shutdown.

1 rule found Severity: Medium

Logo

Performance Charts must record user access in a format that enables monitoring of remote access.

1 rule found Severity: Medium

Logo

Performance Charts must generate log records for system startup and shutdown.

1 rule found Severity: Medium

Logo

The Photon operating system must have the auditd service running.

1 rule found Severity: Medium

Logo

VMware Postgres log files must contain required fields.

1 rule found Severity: Medium

Logo

The vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.

2 rules found Severity: Medium

Logo

The Security Token Service must generate log records during Java startup and shutdown.

1 rule found Severity: Medium

Logo

The vCenter Lookup service must produce log records containing sufficient information regarding event details.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.

2 rules found Severity: Medium

Logo

vSphere UI must record user access in a format that enables monitoring of remote access.

1 rule found Severity: Medium

Logo

vSphere UI must generate log records for system startup and shutdown.

1 rule found Severity: Medium

Logo

The Photon operating system must enable the auditd service.

2 rules found Severity: Medium

Logo

The vCenter PostgreSQL service must enable "pgaudit" to provide audit record generation capabilities.

2 rules found Severity: Medium

Logo

The vCenter STS service must produce log records containing sufficient information regarding event details.

2 rules found Severity: Medium

Logo

Zebra Android 13 must be configured to generate audit records for the following auditable events: Detected integrity violations.

2 rules found Severity: Medium

Logo

The vCenter UI service must produce log records containing sufficient information regarding event details.

2 rules found Severity: Medium

Logo

The SEL-2740S must be configured to create log records for DoD-defined events.

1 rule found Severity: Medium

Logo