CCI-001464

Enable audit Service

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Ensure the libaudit1 package as a part of audit Subsystem is Installed

The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

The application server must initiate session logging upon startup.

The application must initiate session auditing upon startup.

The Central Log Server must initiate session auditing upon startup.

The DBN-6300 must initiate session auditing upon startup.

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

The HP FlexFabric Switch must initiate session auditing upon startup.

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

DB2 must initiate session auditing upon startup.

The WebSphere Liberty Server must generate log records for authentication and authorization events.

The WebSphere Application Server security auditing must be enabled.

The IBM z/VM JOURNALING statement must be coded on the configuration file.

JBoss must be configured to initiate session logging upon startup.

The Mainframe Product must initiate session auditing upon startup.

Azure SQL Database must initiate session auditing upon startup.

The network device must initiate session auditing upon startup.

Nutanix AOS must initiate session audits at system start-up.

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

Innoslate must generate comprehensive audit records.

The UEM server must initiate session auditing upon startup.

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The macOS system must enable security auditing.

The Ubuntu operating system must initiate session audits at system startup.

The Ubuntu operating system must initiate session audits at system start-up.

PostgreSQL must initiate session auditing upon startup.

The DBMS must initiate session auditing upon startup.

The Cisco ISE must initiate session auditing upon startup.

The container platform must initiate session auditing upon startup.

The EDB Postgres Advanced Server must initiate support of session auditing upon startup.

The operating system must initiate session audits at system start-up.

SSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

SSMC web server must initiate session logging upon start up.

AIX must start audit at boot.

IBM z/OS must specify SMF data options to assure appropriate activation.

IBM z/OS must specify SMF data options to ensure appropriate activation.

The Kubernetes API Server must have an audit log path set.

MarkLogic Server must initiate session auditing upon startup.

MariaDB must initiate session auditing upon startup.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.

Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

SQL Server must initiate session auditing upon startup.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.

The MySQL Database Server 8.0 must initiate session auditing upon startup.

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

RHEL 9 must enable auditing of processes that start prior to the audit daemon.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

The VMM must initiate session audits at system startup.

Performance Charts must generate log records for system startup and shutdown.

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

Lookup Service must generate log records for system startup and shutdown.

The Photon operating system must initiate auditing as part of the boot process.

The vCenter ESX Agent Manager service must initiate session logging upon startup.

VMware Postgres must have log collection enabled.

The Security Token Service must generate log records during Java startup and shutdown.

The vCenter Lookup service must initiate session logging upon startup.

vSphere UI must generate log records for system startup and shutdown.

The vCenter Perfcharts service must initiate session logging upon startup.

The Photon operating system must initiate session audits at system startup.

The vCenter PostgreSQL service must initiate session auditing upon startup.

The vCenter STS service must initiate session logging upon startup.

The vCenter UI service must initiate session logging upon startup.

The web server must initiate session logging upon start up.

Ubuntu 22.04 LTS must initiate session audits at system startup.

Audit logging must be enabled on MKE.

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

The OL 8 audit package must be installed.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.