CCI-001914

Enable audit Service

Ensure the audit Subsystem is Installed

Enable auditd Service

Ensure the audit-libs package as a part of audit Subsystem is Installed

Record Events When Privileged Executables Are Run

Ensure the libaudit1 package as a part of audit Subsystem is Installed

A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.

The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.

The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.

The DBN-6300 must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time.

CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.

The System Administrator (SA) and Information System Security Officer (ISSO) must configure the retention of the log records based on the defined security plan.

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The macOS system must enable security auditing.

The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.

PostgreSQL must provide the means for individuals in authorized roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.

The operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.

AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.

IBM z/OS SYS1.PARMLIB must be properly protected.

The Manage auditing and security log user right must only be assigned to the Administrators group.

The system must be configured to audit Account Management - Security Group Management successes.

Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.

Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The SUSE operating system must have the auditing package installed.

The SUSE operating system must generate audit records for all uses of the privileged functions.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on the defined security plan.

The VMM must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all VMM components, based on all selectable event criteria in near real time.

Ubuntu 22.04 LTS must have the "auditd" package installed.

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

The OL 8 audit package must be installed.

SLEM 5 must have the auditing package installed.

SLEM 5 must generate audit records for all uses of privileged functions.