CCI-001858

Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-001858

The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.

Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.

The FortiGate device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

If communication with the central audit server is lost, the FortiGate firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.

The HP FlexFabric Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.

The HYCU Web UI must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

The DataPower Gateway must generate an immediate real-time alert of all audit failure events.

The DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.

The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.

The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts.

The MQ Appliance network device must generate an immediate alert when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

MobileIron Sentry must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

SQL Server or software monitoring SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.

Nutanix AOS must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75 percent of maximum log record storage capacity.

Riverbed Optimization System (RiOS) must generate an email alert of all log failure events requiring alerts.

Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.

A Tanium connector must be configured to send log data to an external audit log reduction-capable system and provide alerts.

Symantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent.

The Tanium enterprise audit log reduction option must be configured to provide alerts based off Tanium audit data.

The Tanium application must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

The Tanium operating system (TanOS) must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

The DBMS must provide a real-time alert when organization-defined audit failure events occur.

PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit log failures.

The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.

The Arista network device must be configured to capture all DOD auditable events.

PostgreSQL must provide an immediate alert to appropriate support staff of all audit log failures.

The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost.

The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.

The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events.

The Cisco switch must be configured to generate an alert for all audit failure events.

The Cisco router must be configured to generate an alert for all audit failure events.

The Cisco ISE must send an alarm to one or more individuals when the monitoring collector process has an error or failure.

The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) in the event of an audit processing failure. This is required for compliance with C2C Step 1.

The Cisco ISE must provide an alert to, at a minimum, the SA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. This is required for compliance with C2C Step 1.

The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.

The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.

The HPE 3PAR OS must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

The ICS must be configured to send admin log data to a redundant central log server.

The ICS must be configured to forward all log failure events where the detection and/or prevention function is unable to write events to local log record or send an SNMP trap that can be forwarded to the SCA and ISSO.

Sentry must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

The Juniper EX switch must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.

MarkLogic Server must provide an immediate real-time alert to appropriate support staff of all audit failures.

MongoDB must provide an immediate real-time alert to appropriate support staff of all audit log failures.

The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

ONTAP must have audit guarantee enabled.

The MySQL Database Server 8.0 must provide an immediate real-time alert to appropriate support staff of all audit log failures.

Redis Enterprise DBMS must provide an immediate real-time alert to appropriate support staff of all audit log failures.

Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.

Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

The Tanium application must provide an immediate real-time alert to the system administrator and information system security officer, at a minimum, of all audit failure events requiring real-time alerts.

The Trend Micro SMS must generate an alert for all audit failure events requiring real-time alerts.

NixOS must enable the audit daemon.

The macOS system must configure audit failure notification.

The application server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts.

The ALG must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.

Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.

The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

The DBMS must provide an immediate real-time alert to appropriate support staff of all audit log failures.

If communication with the central audit server is lost, the firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.

The Dell OS10 Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

Forescout must generate a critical alert to be sent to the Information System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) in the event of an audit processing failure. This is required for compliance with C2C Step 1.

AOS must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

The HYCU virtual appliance must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

The IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur.

The IDPS must assign a critical severity level to all audit processing failures.

IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.

The Juniper router must be configured to generate an alert for all audit failure events.

The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected.

The Mainframe Product must provide an immediate real-time alert to the operations staff, system programmers, and/or security administrators, at a minimum, of all audit failure events requiring real-time alerts.

MariaDB must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.

SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.

The system must provide a real-time alert when organization-defined audit failure events occur.

OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.

The Palo Alto Networks security platform must have alarms enabled.