CCI-002130

Enable audit Service

Record Events that Modify User/Group Information

Record Events that Modify User/Group Information - /etc/group

Record Events that Modify User/Group Information - /etc/gshadow

Record Events that Modify User/Group Information - /etc/security/opasswd

Record Events that Modify User/Group Information - /etc/passwd

Record Events that Modify User/Group Information - /etc/shadow

Ensure auditd Collects System Administrator Actions - /etc/sudoers

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

AAA Services must be configured to automatically audit account enabling actions.

Compliance Guardian must provide automated mechanisms for supporting account management functions.

The Akamai Luna Portal must automatically audit account enabling actions.

The Arista network device must be configured to audit all administrator activity.

The application must automatically audit account enabling actions.

The DBN-6300 must automatically audit account enabling actions.

The HP FlexFabric Switch must automatically audit account enabling actions.

The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.

The DataPower Gateway must automatically audit account enabling actions.

The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.

The Juniper router must be configured to automatically audit account enabling actions.

The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.

The Mainframe Product must automatically audit account enabling actions.

ONTAP must automatically audit account-enabling actions.

The network device must automatically audit account enabling actions.

Nutanix AOS must audit all account actions.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.

The UEM server must automatically audit account-enabling actions.

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.

The macOS system must enable security auditing.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

The Cisco router must be configured to automatically audit account enabling actions.

The Cisco switch must be configured to automatically audit account enabling actions.

The Cisco ISE must automatically audit account enabling actions.

The container platform must automatically audit account-enabling actions.

The operating system must audit all account enabling actions.

AIX must provide audit record generation functionality for DoD-defined auditable events.

IBM z/OS Required SMF data record types must be collected.

IBM z/OS required SMF data record types must be collected.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The system must be configured to audit Account Management - Security Group Management successes.

The system must be configured to audit Account Management - User Account Management failures.

The system must be configured to audit Account Management - User Account Management successes.

Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.

Windows Server 2016 must be configured to audit Account Management - User Account Management successes.

Windows Server 2016 must be configured to audit Account Management - User Account Management failures.

Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.

Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.

Windows Server 2019 must be configured to audit Account Management - User Account Management successes.

Windows Server 2019 must be configured to audit Account Management - User Account Management failures.

Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.

Windows Server 2022 must be configured to audit Account Management - Security Group Management successes.

Windows Server 2022 must be configured to audit Account Management - User Account Management successes.

Windows Server 2022 must be configured to audit Account Management - User Account Management failures.

Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes.

The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

OL 8 must generate audit records for all account creation events that affect "/etc/shadow".

OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".

OL 8 must generate audit records for all account creation events that affect "/etc/passwd".

OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".

OL 8 must generate audit records for all account creation events that affect "/etc/group".

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

OpenShift must generate audit rules to capture account related actions.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The VMM must automatically audit account enabling actions.

The Photon operating system must audit all account modifications.

The BIG-IP appliance must be configured to automatically audit account-enabling actions.

The macOS system must be configured to audit all administrative action events.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

MKE must be configured to integrate with an Enterprise Identity Provider.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".