Capacity
CCI-001314
Reveal error messages only to organization-defined personnel or roles.
40
Rule
Severity: Medium
System Audit Logs Must Be Owned By Root
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate Group
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate User
29
Rule
Severity: Medium
Ensure System Log Files Have Correct Permissions
17
Rule
Severity: Medium
System Audit Logs Must Have Mode 0640 or Less Permissive
29
Rule
Severity: Medium
Verify Group Who Owns /var/log Directory
29
Rule
Severity: Medium
Verify Group Who Owns /var/log/messages File
29
Rule
Severity: Medium
Verify Group Who Owns /var/log/syslog File
29
Rule
Severity: Medium
Verify User Who Owns /var/log Directory
29
Rule
Severity: Medium
Verify User Who Owns /var/log/messages File
29
Rule
Severity: Medium
Verify User Who Owns /var/log/syslog File
27
Rule
Severity: Medium
Verify Permissions on /var/log Directory
28
Rule
Severity: Medium
Verify Permissions on /var/log/messages File
28
Rule
Severity: Medium
Verify Permissions on /var/log/syslog File
17
Rule
Severity: Low
Restrict Access to Kernel Message Buffer
6
Rule
Severity: Medium
System Audit Directories Must Be Group Owned By Root
6
Rule
Severity: Medium
System Audit Directories Must Be Owned By Root
11
Rule
Severity: Medium
System Audit Logs Must Be Group Owned By Root
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OAuth Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OpenShift Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
Verify Group Who Owns lastlog Command
1
Rule
Severity: Medium
Verify Owner on lastlog Command
1
Rule
Severity: Medium
Verify Permissions on lastlog Command
2
Rule
Severity: Medium
Verify that local /var/log/messages is not world-readable
2
Rule
Severity: Medium
The A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
1
Rule
Severity: High
Kona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA.
1
Rule
Severity: Medium
The Arista Multilayer Switch must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
2
Rule
Severity: Medium
The ALG must reveal error messages only to the ISSO, ISSM, and SCA.
2
Rule
Severity: Medium
The application server must restrict error messages only to authorized users.
2
Rule
Severity: Medium
The application must reveal error messages only to the ISSO, ISSM, or SA.
1
Rule
Severity: Medium
The CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA.
2
Rule
Severity: Medium
IDMS must reveal security-related messages only to authorized users.
2
Rule
Severity: Medium
Custom database code and associated application code must reveal detailed error messages only to the Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
1
Rule
Severity: Medium
The DBN-6300 must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
2
Rule
Severity: Medium
The WebSphere Liberty Server must be configured to encrypt log information.
1
Rule
Severity: Medium
DB2 must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.
1
Rule
Severity: Medium
The WebSphere Application Server security auditing must be enabled.
1
Rule
Severity: Medium
The WebSphere Application Server LDAP groups must be authorized for the WebSphere role.
2
Rule
Severity: Medium
Access to JBoss log files must be restricted to authorized users.
2
Rule
Severity: Low
The Sentry must reveal error messages only to the ISSO, ISSM, and SCA.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.
2
Rule
Severity: Medium
The Mainframe Product must reveal full-text detail error messages only to system programmers and/or security administrators.
1
Rule
Severity: Medium
SQL Server must reveal detailed error messages only to the ISSO, ISSM (or their designees), SA and DBA.
1
Rule
Severity: Medium
Nutanix AOS must restrict error messages only to authorized users.
1
Rule
Severity: Medium
Nutanix AOS must reveal error messages only to authorized users.
1
Rule
Severity: Medium
Oracle WebLogic must restrict error messages so only authorized personnel may view them.
1
Rule
Severity: Medium
The application must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
2
Rule
Severity: Medium
The Tanium application must reveal error messages only to the information system security officer (ISSO), information system security manager (ISSM), and system administrator (SA).
2
Rule
Severity: Medium
The Tanium application must reveal error messages only to the ISSO, ISSM, and SA.
2
Rule
Severity: Medium
The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).
1
Rule
Severity: Medium
The Horizon Connection Server must protect log files from unauthorized access.
2
Rule
Severity: Low
Default error pages for manager application must be customized.
2
Rule
Severity: Medium
ErrorReportValve showReport must be set to false.
1
Rule
Severity: Medium
The macOS system must be configured so that log files must not contain access control lists (ACLs).
3
Rule
Severity: Medium
The macOS system must be configured so that log files do not contain access control lists (ACLs).
4
Rule
Severity: Medium
The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
4
Rule
Severity: Medium
The macOS system must be configured with system log files set to mode 640 or less permissive.
3
Rule
Severity: Medium
The macOS system must disable sending diagnostic and usage data to Apple.
2
Rule
Severity: Medium
The macOS system must configure Apple System Log files to be owned by root and group to wheel.
2
Rule
Severity: Medium
The macOS system must configure Apple System Log files to mode 640 or less permissive.
2
Rule
Severity: Medium
The macOS system must configure system log files to be owned by root and group to wheel.
3
Rule
Severity: Medium
The macOS system must configure system log files to mode 640 or less permissive.
3
Rule
Severity: Medium
The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.
3
Rule
Severity: Medium
The Ubuntu operating system must configure the /var/log directory to be owned by root.
1
Rule
Severity: Medium
The Ubuntu operating system must configure the /var/log directory to have mode 0755 or less permissive.
3
Rule
Severity: Medium
The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm.
3
Rule
Severity: Medium
The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.
3
Rule
Severity: Medium
The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
2
Rule
Severity: Medium
The Ubuntu operating system must configure the /var/log directory to have mode "0755" or less permissive.
2
Rule
Severity: Medium
PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
2
Rule
Severity: Medium
The DBMS must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.
2
Rule
Severity: Medium
The operating system must reveal error messages only to authorized users.
2
Rule
Severity: Medium
AIX log files must be owned by a system account.
2
Rule
Severity: Medium
AIX log files must be owned by a system group.
2
Rule
Severity: Medium
AIX log files must have mode 0640 or less permissive.
2
Rule
Severity: Medium
AIX log files must not have extended ACLs, except as needed to support authorized software.
2
Rule
Severity: Medium
CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
4
Rule
Severity: Medium
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
1
Rule
Severity: Medium
SQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
2
Rule
Severity: Medium
The system must be configured to audit Account Management - User Account Management failures.
2
Rule
Severity: High
Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
1
Rule
Severity: Medium
The DBMS must restrict error messages, so only authorized personnel may view them.
2
Rule
Severity: Medium
The DBMS must restrict error messages so only authorized personnel may view them.
2
Rule
Severity: Medium
The Oracle Linux operating system must protect audit information from unauthorized read, modification, or deletion.
1
Rule
Severity: Medium
PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.
2
Rule
Severity: Medium
The OL 8 "/var/log/messages" file must have mode 0640 or less permissive.
2
Rule
Severity: Medium
The OL 8 "/var/log/messages" file must be owned by root.
2
Rule
Severity: Medium
The OL 8 "/var/log/messages" file must be group-owned by root.
2
Rule
Severity: Medium
The OL 8 "/var/log" directory must have mode 0755 or less permissive.
2
Rule
Severity: Medium
The OL 8 "/var/log" directory must be owned by root.
2
Rule
Severity: Medium
The OL 8 "/var/log" directory must be group-owned by root.
2
Rule
Severity: Medium
The OL 8 lastlog command must have a mode of "0750" or less permissive.
2
Rule
Severity: Medium
The OL 8 lastlog command must be owned by root.
2
Rule
Severity: Medium
The OL 8 lastlog command must be group-owned by root.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must block traceroutes and ICMP probes originating from untrusted networks (e.g., ISP and other non-DoD networks).
2
Rule
Severity: Medium
Administrators in the role of Security Administrator, Cryptographic Administrator, or Audit Administrator must not also have the role of Audit Administrator.
2
Rule
Severity: Medium
Automation Controller's log files must be accessible by explicitly defined privilege.
2
Rule
Severity: Medium
The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
2
Rule
Severity: Medium
The RHEL 8 /var/log/messages file must be owned by root.
2
Rule
Severity: Medium
The RHEL 8 /var/log/messages file must be group-owned by root.
2
Rule
Severity: Medium
The RHEL 8 /var/log directory must have mode 0755 or less permissive.
2
Rule
Severity: Medium
The RHEL 8 /var/log directory must be owned by root.
2
Rule
Severity: Medium
The RHEL 8 /var/log directory must be group-owned by root.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.
2
Rule
Severity: Medium
RHEL 9 /var/log directory must have mode 0755 or less permissive.
2
Rule
Severity: Medium
RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
4
Rule
Severity: Medium
The SUSE operating system must prevent unauthorized users from accessing system error messages.
2
Rule
Severity: Medium
RHEL 9 /var/log directory must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /var/log directory must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /var/log/messages file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /var/log/messages file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
2
Rule
Severity: Medium
RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
2
Rule
Severity: Medium
RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
4
Rule
Severity: Low
The operating system must reveal error messages only to authorized personnel.
2
Rule
Severity: Medium
The VMM must reveal system error messages only to authorized users.
1
Rule
Severity: Medium
The Photon operating system "/var/log" directory must be owned by root.
1
Rule
Severity: Medium
The Photon operating system messages file must have the correct ownership and file permissions.
1
Rule
Severity: Medium
VMware Postgres must provide nonprivileged users with minimal error information.
3
Rule
Severity: Medium
The Photon operating system must reveal error messages only to authorized users.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must provide nonprivileged users with minimal error information.
1
Rule
Severity: Medium
The application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
1
Rule
Severity: Medium
The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.
1
Rule
Severity: Medium
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.
1
Rule
Severity: Medium
The macOS system must configure system log files owned by root and group to wheel.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the "/var/log" directory to have mode "755" or less permissive.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure "/var/log/syslog" file with mode "640" or less permissive.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the directories used by the system journal to be owned by "root".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the directories used by the system journal to be group-owned by "systemd-journal".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the files used by the system journal to be owned by "root".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the files used by the system journal to be group-owned by "systemd-journal".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is owned by "root".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is group-owned by "root".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the "/var/log" directory to be owned by "root".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the "/var/log" directory to be group-owned by "syslog".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure "/var/log/syslog" file to be owned by "syslog".
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the "/var/log/syslog" file to be group-owned by "adm".
1
Rule
Severity: Medium
PostgreSQL must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA).
1
Rule
Severity: Medium
MongoDB must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA).
1
Rule
Severity: Medium
SQL Server must reveal detailed error messages only to documented and approved individuals or roles.
1
Rule
Severity: Medium
SLEM 5 must prevent unauthorized users from accessing system error messages.
1
Rule
Severity: Medium
TOSS must reveal error messages only to authorized users.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules