CCI-002132

Record Events that Modify User/Group Information - /etc/group

Record Events that Modify User/Group Information - /etc/gshadow

Record Events that Modify User/Group Information - /etc/security/opasswd

Record Events that Modify User/Group Information - /etc/passwd

Record Events that Modify User/Group Information - /etc/shadow

Ensure auditd Collects System Administrator Actions - /etc/sudoers

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

The A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.

AAA Services must be configured to notify system administrators and ISSO of account enabling actions.

Compliance Guardian must provide automated mechanisms for supporting account management functions.

The Akamai Luna Portal must notify the SAs and ISSO when accounts are created, or enabled when previously disabled.

The application must notify System Administrators and Information System Security Officers of account enabling actions.

The CA API Gateway must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.

The HP FlexFabric Switch must generate an immediate alert for account enabling actions.

The DataPower Gateway must generate an immediate alert for account enabling actions.

The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.

The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.

The Mainframe Product must notify system programmers and security administrators of account enabling actions.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

Tanium must notify the SA and ISSO of account enabling actions.

Tanium must notify the system administrator and information system security officer (ISSO) of account enabling actions.

The Tanium application must notify SA and ISSO of account enabling actions.

Tanium must notify system administrator and ISSO of account enabling actions.

Tanium must audit and notify system administrators and ISSOs when accounts are enabled.

The UEM server must notify system administrator and Information System Security Officer (ISSO) of account enabling actions.

The container platform must notify system administrator and ISSO of account enabling actions.

The operating system must notify system administrators and ISSOs of account enabling actions.

AIX must provide audit record generation functionality for DoD-defined auditable events.

IBM z/OS system administrator must develop a procedure to notify system administrators and ISSOs of account enabling actions.

The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.

IBM z/OS system administrator must develop a procedure to notify System Administrators and ISSOs of account enabling actions.

OL 8 must generate audit records for all account creation events that affect "/etc/shadow".

OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".

OL 8 must generate audit records for all account creation events that affect "/etc/passwd".

OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".

OL 8 must generate audit records for all account creation events that affect "/etc/group".

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".

OpenShift must generate audit rules to capture account related actions.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

The VMM must notify the system administrator and ISSO of account enabling actions.

The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.

The BIG-IP appliance must be configured to generate an immediate alert for account-enabling actions.

The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.

MKE must be configured to integrate with an Enterprise Identity Provider.

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Tanium must audit and notify system administrators (SAs) and information system security officers (ISSOs) when accounts are enabled.

Tanium must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.