CCI-000174

For application servers providing log record aggregation, the application server must compile log records from organization-defined information system components into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.

For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.

The Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage.

Where multiple log servers are installed in the enclave, each log server must be configured to aggregate log records to a central aggregation server or other consolidated events repository.

The Jamf Pro EMM local accounts must be configured with password maximum lifetime of 3 months.

For Mainframe Products providing audit record aggregation, the Mainframe Product must compile audit records from mainframe components into a system-wide audit trail that is time-correlated with a tolerance for the relationship between time stamps of individual records in the audit trail in accordance with the site security plan.

Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.

Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

The Samsung SDS EMM local accounts must be configured with password maximum lifetime of 60 Days.

The Workspace ONE UEM local accounts must be configured with password maximum lifetime of 60 days.

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

In a distributed environment, Splunk Enterprise indexers must be configured to ingest log records from its forwarders.