CCI-001683

Record Events that Modify User/Group Information - /etc/group

Record Events that Modify User/Group Information - /etc/gshadow

Record Events that Modify User/Group Information - /etc/security/opasswd

Record Events that Modify User/Group Information - /etc/passwd

Record Events that Modify User/Group Information - /etc/shadow

The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.

AAA Services must be configured to notify the system administrators and ISSO when accounts are created.

Compliance Guardian must provide automated mechanisms for supporting account management functions.

The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are created.

The application must notify System Administrators and Information System Security Officers when accounts are created.

The Central Log Server must notify system administrators and ISSO when accounts are created.

The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.

The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.

The Mainframe Product must notify system programmers and security administrators when accounts are created.

Access to Prisma Cloud Compute must be managed based on user need and least privileged  using external identity providers for authentication and grouping to role-based assignments when possible.

Riverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when local accounts are created.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) when account events are received (creation, deletion, modification, disabling).

Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

Tanium must notify system administrators and ISSO when accounts are created.

Tanium must notify system administrator and information system security officer (ISSO) when accounts are created.

Tanium must notify SA and ISSO when accounts are created.

The Tanium Operating System (TanOS) must notify system administrators and ISSOs when accounts are created.

The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created.

The container platform must notify system administrators and ISSO when accounts are created.

The operating system must notify system administrators and ISSOs when accounts are created.

IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are created.

The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are created.

The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are created.

OpenShift must generate audit rules to capture account related actions.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) when account events are received (creation, deletion, modification, or disabling).

The VMM must notify system administrators and ISSOs when accounts are created.

The ESXi host must off-load logs via syslog.

The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.

The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.

The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.

The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.

MKE must be configured to integrate with an Enterprise Identity Provider.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Splunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, disabling).

Splunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, or disabling).

The Tanium Operating System (TanOS) must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.

Tanium must notify system administrator (SA) and the information system security officer (ISSO) when accounts are created.

The ESXi host must offload logs via syslog.