CCI-002130

1 rule found Severity: High

29 rules found Severity: Medium

26 rules found Severity: Medium

25 rules found Severity: Medium

26 rules found Severity: Medium

11 rules found Severity: Medium

10 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

Enable audit Service

Record Events that Modify User/Group Information

Record Events that Modify User/Group Information - /etc/group

Record Events that Modify User/Group Information - /etc/gshadow

Record Events that Modify User/Group Information - /etc/security/opasswd

Record Events that Modify User/Group Information - /etc/passwd

Record Events that Modify User/Group Information - /etc/shadow

Ensure auditd Collects System Administrator Actions - /etc/sudoers

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

Compliance Guardian must provide automated mechanisms for supporting account management functions.

The Akamai Luna Portal must automatically audit account enabling actions.

The DBN-6300 must automatically audit account enabling actions.

The HP FlexFabric Switch must automatically audit account enabling actions.

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

The DataPower Gateway must automatically audit account enabling actions.

The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.

Nutanix AOS must audit all account actions.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The BIG-IP appliance must be configured to automatically audit account-enabling actions.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The Arista network device must be configured to audit all administrator activity.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

The Cisco switch must be configured to automatically audit account enabling actions.

The Cisco ISE must automatically audit account enabling actions.

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

AIX must provide audit record generation functionality for DoD-defined auditable events.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

MKE must be configured to integrate with an Enterprise Identity Provider.

Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.

Windows Server 2016 must be configured to audit Account Management - User Account Management successes.

Windows Server 2016 must be configured to audit Account Management - User Account Management failures.

Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.

The network device must automatically audit account enabling actions.

ONTAP must automatically audit account-enabling actions.

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

The NixOS audit package must be installed.

AAA Services must be configured to automatically audit account enabling actions.

The macOS system must enable security auditing.

The macOS system must be configured to audit all administrative action events.

The application must automatically audit account enabling actions.

The Cisco router must be configured to automatically audit account enabling actions.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

The container platform must automatically audit account-enabling actions.

The Dell OS10 Switch must initiate session auditing upon startup.

AOS must automatically audit account creation.