CCI-001464

1 rule found Severity: High

34 rules found Severity: Medium

36 rules found Severity: Medium

7 rules found Severity: Medium

22 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

15 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

Enable audit Service

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Ensure the libaudit1 package as a part of audit Subsystem is Installed

The DBN-6300 must initiate session auditing upon startup.

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

The HP FlexFabric Switch must initiate session auditing upon startup.

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

DB2 must initiate session auditing upon startup.

The WebSphere Application Server security auditing must be enabled.

The IBM z/VM JOURNALING statement must be coded on the configuration file.

Nutanix AOS must initiate session audits at system start-up.

Innoslate must generate comprehensive audit records.

The Ubuntu operating system must initiate session audits at system startup.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

PostgreSQL must initiate session auditing upon startup.

The EDB Postgres Advanced Server must initiate support of session auditing upon startup.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The Ubuntu operating system must initiate session audits at system start-up.

The Cisco ISE must initiate session auditing upon startup.

SSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

SSMC web server must initiate session logging upon start up.

AIX must start audit at boot.

The WebSphere Liberty Server must generate log records for authentication and authorization events.

JBoss must be configured to initiate session logging upon startup.

The Kubernetes API Server must have an audit log path set.

MarkLogic Server must initiate session auditing upon startup.

Audit logging must be enabled on MKE.

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

Azure SQL Database must initiate session auditing upon startup.

Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.

Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.

The network device must initiate session auditing upon startup.

The MySQL Database Server 8.0 must initiate session auditing upon startup.

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

The web server must initiate session logging upon start up.

Extend Audit Backlog Limit for the Audit Daemon

NixOS must enable the audit daemon.

The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

The macOS system must enable security auditing.

The application server must initiate session logging upon startup.

Ubuntu 22.04 LTS must initiate session audits at system startup.

The application must initiate session auditing upon startup.

The Central Log Server must initiate session auditing upon startup.

The container platform must initiate session auditing upon startup.

AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.

The DBMS must initiate session auditing upon startup.

The Dell OS10 Switch must initiate session auditing upon startup.

The HYCU virtual appliance must initiate session auditing upon startup.

The operating system must initiate session audits at system start-up.

IBM z/OS must specify SMF data options to assure appropriate activation.

IBM z/OS must specify SMF data options to ensure appropriate activation.

The Mainframe Product must initiate session auditing upon startup.

MariaDB must initiate session auditing upon startup.

SQL Server must initiate session auditing upon startup.

The OL 8 audit package must be installed.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

RHEL 9 must enable auditing of processes that start prior to the audit daemon.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The UEM server must initiate session auditing upon startup.

The VMM must initiate session audits at system startup.

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

Lookup Service must generate log records for system startup and shutdown.

Performance Charts must generate log records for system startup and shutdown.

The Photon operating system must initiate auditing as part of the boot process.

VMware Postgres must have log collection enabled.