Capacity
CCI-001404
Automatically audit account disabling actions.
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
8
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers
7
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
2
Rule
Severity: Medium
AAA Services must be configured to automatically audit account disabling actions.
1
Rule
Severity: Medium
The Arista Multilayer Switch must automatically audit account disabling actions.
2
Rule
Severity: Medium
The Arista network device must be configured to audit all administrator activity.
2
Rule
Severity: Medium
The application must automatically audit account disabling actions.
2
Rule
Severity: Medium
The Central Log Server must automatically audit account disabling actions.
1
Rule
Severity: Medium
The HP FlexFabric Switch must automatically audit account disabling actions.
1
Rule
Severity: Medium
The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.
1
Rule
Severity: Medium
CA VM:Secure product must be installed and operating.
2
Rule
Severity: Medium
The Juniper router must be configured to automatically audit account disabling actions.
2
Rule
Severity: Medium
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.
2
Rule
Severity: Medium
The Mainframe Product must automatically audit account disabling actions.
2
Rule
Severity: Medium
The network device must automatically audit account disabling actions.
1
Rule
Severity: Medium
Nutanix AOS must audit all account actions.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.
2
Rule
Severity: Medium
When allowed by the central authentication system, the default role assigned to a user must be User-Base.
1
Rule
Severity: Low
Riverbed Optimization System (RiOS) must automatically generate a log event for account disabling actions.
2
Rule
Severity: Medium
The UEM server must automatically audit account disabling actions.
1
Rule
Severity: High
The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.
1
Rule
Severity: Medium
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
3
Rule
Severity: Medium
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.
3
Rule
Severity: Medium
The macOS system must be configured to audit all administrative action events.
3
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
3
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
3
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
3
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
1
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
2
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
2
Rule
Severity: Medium
The Cisco ASA must be configured to automatically audit account-disabling actions.
4
Rule
Severity: Medium
The Cisco router must be configured to automatically audit account disabling actions.
6
Rule
Severity: Medium
The Cisco switch must be configured to automatically audit account disabling actions.
2
Rule
Severity: Medium
For the local web-based account of last resort, the Cisco ISE must automatically audit account disabling actions.
2
Rule
Severity: Medium
The container platform must automatically audit account-disabling actions.
2
Rule
Severity: Medium
The operating system must audit all account disabling actions.
2
Rule
Severity: Medium
AIX must provide audit record generation functionality for DoD-defined auditable events.
2
Rule
Severity: Medium
IBM z/OS Required SMF data record types must be collected.
2
Rule
Severity: Medium
IBM RACF SETROPTS LOGOPTIONS must be properly configured.
4
Rule
Severity: Medium
IBM z/OS required SMF data record types must be collected.
2
Rule
Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
2
Rule
Severity: Medium
Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
2
Rule
Severity: Medium
The system must be configured to audit Account Management - Security Group Management successes.
2
Rule
Severity: Medium
The system must be configured to audit Account Management - User Account Management failures.
2
Rule
Severity: Medium
The system must be configured to audit Account Management - User Account Management successes.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to audit Account Management - Security Group Management successes.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to audit Account Management - User Account Management successes.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to audit Account Management - User Account Management failures.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes.
2
Rule
Severity: Medium
The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/shadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/passwd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/group".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
2
Rule
Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
OpenShift must generate audit rules to capture account related actions.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
4
Rule
Severity: Medium
The operating system must automatically audit account disabling actions.
2
Rule
Severity: Medium
The VMM must automatically audit account disabling actions.
1
Rule
Severity: Medium
The Photon operating system must audit all account disabling actions.
3
Rule
Severity: Medium
The Photon operating system must audit the execution of privileged functions.
1
Rule
Severity: Medium
The BIG-IP appliance must automatically audit account-disabling actions.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
1
Rule
Severity: Medium
Audit logging must be enabled on MKE.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
1
Rule
Severity: High
The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules