CCI-001744

Implement organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.

32 rules found Severity: Medium

27 rules found Severity: Medium

18 rules found Severity: Medium

9 rules found Severity: Medium

1 rule found Severity: Medium

5 rules found Severity: Medium

4 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

20 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

CCI-001744

Install AIDE

Configure Periodic Execution of AIDE

Configure Notification of Post-AIDE Scan Details

The mailx Package Is Installed

The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.

Nutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.

Tanium must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.

The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.

The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel.

The BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.

The s-nail Package Is Installed

Configure Systemd Timer Execution of AIDE

Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

System files must be monitored for unauthorized changes.

The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.

The Oracle Linux operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.

SLEM 5 must use a file integrity tool to verify correct operation of all security functions.

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.

The TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.

Build and Test AIDE Database

NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.

Ubuntu 22.04 LTS must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.

AlmaLinux OS 9 must have the s-nail package installed.

AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.

AlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.

The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner.

IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner.

IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.

The Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.

Windows Server 2019 system files must be monitored for unauthorized changes.

Windows Server 2022 system files must be monitored for unauthorized changes.

The OL 8 file integrity tool must notify the System Administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.

The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.

OL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.

RHEL 9 must have the s-nail package installed.

RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.

RHEL 9 must have the AIDE package installed.

RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.

The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.

The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.

The VMM must notify designated personnel if baseline configurations are changed in an unauthorized manner.

The Photon operating system must have the auditd service running.

The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

The Photon operating system must enable the auditd service.

BMC CONTROL-D security exits are not installed or configured properly.

BMC CONTROL-M security exits are not installed or configured properly.

CA 1 Tape Management user exits, when in use, must be reviewed and/or approved.

The Photon operating system must configure AIDE to detect changes to baseline configurations.