CCI-001487

Enable audit Service

Ensure the audit Subsystem is Installed

Enable auditd Service

Record attempts to alter time through adjtimex

Ensure the audit-libs package as a part of audit Subsystem is Installed

Record Attempts to Alter Time Through clock_settime

Record attempts to alter time through settimeofday

Record Attempts to Alter Time Through stime

Record Attempts to Alter the localtime File

Ensure the libaudit1 package as a part of audit Subsystem is Installed

AAA Services configuration audit records must identify any individual user or process associated with the event.

The Apache web server must produce log records containing sufficient information to establish what type of events occurred.

The ALG must generate audit records containing information to establish the identity of any individual or process associated with the event.

The application server must generate log records containing information that establishes the identity of any individual or process associated with the event.

The Arista network device must be configured to capture all DOD auditable events.

The application must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event.

The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The DBN-6300 must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.

The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.

The DNS server implementation must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The FortiGate device must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The HP FlexFabric Switch must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The HYCU server must generate audit records containing information that establishes the identity of any individual or process associated with the event.

The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.

The WebSphere Liberty Server must log remote session and security activity.

The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The WebSphere Application Server audit event type filters must be configured.

CA VM:Secure product must be installed and operating.

JBoss ROOT logger must be configured to utilize the appropriate logging level.

The Sentry must generate audit records containing information to establish the identity of any individual or process associated with the event.

The Mainframe Product must generate audit records containing information to establish the identity of any individual or process associated with the event.

SQL Server must produce Trace or Audit records containing sufficient information to establish the identity of any user/subject associated with the event.

The network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.

Nutanix AOS must produce audit records containing information to establish the identity of any individual or process associated with the event.

OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

Prisma Cloud Compute Defender must be deployed to containerization nodes that are to be monitored.

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.

The SDN controller must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

Symantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event.

The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.

The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.

Audit records content must contain valid information to allow for proper incident reporting.

The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

AccessLogValve must be configured per each virtual host.

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The macOS system must enable security auditing.

PostgreSQL must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

The Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event.

The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

All audit records must identify any users associated with the event within the container platform.

All audit records must identify any containers associated with the event within the container platform.

The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

The operating system must produce audit records containing information to establish the identity of any individual or process associated with the event.

AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.

IBM z/OS Required SMF data record types must be collected.

The IBM RACF REALDSN SETROPTS value must be specified.

IBM z/OS required SMF data record types must be collected.

The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Juniper EX switch must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.

Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

The IIS 10.0 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

The IIS 10.0 web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

All audit records must identify any containers associated with the event within Rancher RKE2.

All audit records must generate the event results within OpenShift.

The Automation Controller must generate the appropriate log records.

SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.

The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.

The VMM must produce audit records containing information to establish the identity of any individual or process associated with the event.

VAMI must produce log records containing sufficient information to establish what type of events occurred.

Performance Charts must record user access in a format that enables monitoring of remote access.

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

Lookup Service must record user access in a format that enables monitoring of remote access.

The Photon operating system must have the auditd service running.

The vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.

VMware Postgres log files must contain required fields.

The Security Token Service must record user access in a format that enables monitoring of remote access.

The vCenter Lookup service must produce log records containing sufficient information regarding event details.

vSphere UI must record user access in a format that enables monitoring of remote access.

The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.

The Photon operating system must enable the auditd service.

The vCenter PostgreSQL service must produce logs containing sufficient information to establish what type of events occurred.

The vCenter STS service must produce log records containing sufficient information regarding event details.

The vCenter UI service must produce log records containing sufficient information regarding event details.

The vCenter VAMI service must produce log records containing sufficient information to establish what type of events occurred.

The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

The EDB Postgres Advanced Server must generate audit records for DoD-defined auditable events.

The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the identity of all users.

The F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.

The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

The OL 8 audit package must be installed.

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).