Capacity
CCI-002884
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
29
Rule
Severity: Medium
Ensure the audit Subsystem is Installed
30
Rule
Severity: Medium
Enable auditd Service
29
Rule
Severity: Medium
Ensure auditd Collects Information on Exporting to Media (successful)
29
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmodat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchownat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - removexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - setxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - umount
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - umount2
23
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rename
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - renameat
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rmdir
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlink
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlinkat
23
Rule
Severity: Medium
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - creat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - ftruncate
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open
24
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open_by_handle_at
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - openat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - truncate
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading - init_module
3
Rule
Severity: Medium
Ensure the audit-libs package as a part of audit Subsystem is Installed
19
Rule
Severity: Low
Enable Auditing for Processes Which Start Prior to the Audit Daemon
17
Rule
Severity: Low
Extend Audit Backlog Limit for the Audit Daemon
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
17
Rule
Severity: Medium
Record Any Attempts to Run chcon
14
Rule
Severity: Medium
Record Any Attempts to Run restorecon
14
Rule
Severity: Medium
Record Any Attempts to Run semanage
13
Rule
Severity: Medium
Record Any Attempts to Run setfiles
14
Rule
Severity: Medium
Record Any Attempts to Run setsebool
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - rename
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - renameat
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlink
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlinkat
18
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events
20
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - faillock
23
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - lastlog
21
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - tallylog
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chage
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
9
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - insmod
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
9
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - mount
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
11
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
9
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - su
18
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - umount
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
8
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers
7
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
14
Rule
Severity: Medium
Record Attempts to perform maintenance activities
14
Rule
Severity: Medium
Record Any Attempts to Run chacl
11
Rule
Severity: Medium
Record Any Attempts to Run setfacl
11
Rule
Severity: Medium
Record Any Attempts to Run ssh-agent
8
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
2
Rule
Severity: Medium
Ensure the libaudit1 package as a part of audit Subsystem is Installed
2
Rule
Severity: Medium
Record Any Attempts to Run chmod
2
Rule
Severity: Medium
Record Any Attempts to Run rm
4
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - faillog
4
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chfn
2
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - passmass
1
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd
2
Rule
Severity: Medium
Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.
2
Rule
Severity: Medium
Mainframe Products must audit nonlocal maintenance and diagnostic sessions audit events as defined in site security plan.
1
Rule
Severity: Medium
Nutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions.
2
Rule
Severity: Medium
Prisma Cloud Compute must be configured for forensic data collection.
1
Rule
Severity: Medium
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
3
Rule
Severity: Medium
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.
3
Rule
Severity: Medium
The macOS system must be configured to audit all administrative action events.
2
Rule
Severity: Medium
The macOS system must be configured to audit all log on and log out events.
3
Rule
Severity: Medium
The macOS system must enable security auditing.
3
Rule
Severity: Medium
The macOS system must be configured to audit all deletions of object attributes.
3
Rule
Severity: Medium
The macOS system must be configured to audit all changes of object attributes.
1
Rule
Severity: Medium
The macOS system must configure system to audit all authorization and authentication events.
1
Rule
Severity: Medium
The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
2
Rule
Severity: Medium
The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.
2
Rule
Severity: Medium
The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.
2
Rule
Severity: Medium
The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions.
2
Rule
Severity: Low
SSMC must provide audit record generation capability for DOD-defined auditable events for all operating system components.
2
Rule
Severity: Medium
AIX must provide audit record generation functionality for DoD-defined auditable events.
4
Rule
Severity: Medium
IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
2
Rule
Severity: Medium
IBM z/OS Required SMF data record types must be collected.
6
Rule
Severity: Medium
IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
4
Rule
Severity: Medium
IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
2
Rule
Severity: Medium
IBM RACF SETROPTS LOGOPTIONS must be properly configured.
2
Rule
Severity: Medium
IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events.
4
Rule
Severity: Medium
IBM z/OS required SMF data record types must be collected.
2
Rule
Severity: Medium
IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified.
2
Rule
Severity: Medium
OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the semanage command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the setsebool command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the chcon command.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the setfiles command.
2
Rule
Severity: Medium
The Oracle Linux operating system must generate audit records for all unsuccessful account access events.
2
Rule
Severity: Medium
The Oracle Linux operating system must generate audit records for all successful account access events.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the mount command and syscall.
2
Rule
Severity: Medium
The Oracle Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/shadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/passwd".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/gshadow".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creation events that affect "/etc/group".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
2
Rule
Severity: Medium
OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "su" command.
2
Rule
Severity: Medium
The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chage" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any uses of the "chcon" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "ssh-agent" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "passwd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "mount" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "umount" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "mount" syscall.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "unix_update" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "postdrop" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "postqueue" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "setsebool" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "unix_chkpwd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "ssh-keysign" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "setfacl" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "pam_timestamp_check" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "newgrp" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "gpasswd" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the delete_module syscall.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "crontab" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chsh" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "sudo" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "usermod" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "chacl" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any use of the "kmod" command.
2
Rule
Severity: Medium
OL 8 must generate audit records for any attempted modifications to the "faillock" log file.
2
Rule
Severity: Medium
OL 8 must generate audit records for any attempted modifications to the "lastlog" file.
2
Rule
Severity: Medium
OL 8 must enable auditing of processes that start prior to the audit daemon.
2
Rule
Severity: Low
OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.
2
Rule
Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
All audit records must identify what type of event has occurred within OpenShift.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the chage command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the su command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the umount command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.
2
Rule
Severity: Low
RHEL 9 must enable auditing of processes that start prior to the audit daemon.
4
Rule
Severity: Medium
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the su command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the sudo command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the chfn command.
2
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the mount command.
2
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the umount command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the kmod command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
2
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the passwd command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the gpasswd command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the newgrp command.
4
Rule
Severity: Low
The SUSE operating system must generate audit records for a uses of the chsh command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chmod command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the setfacl command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chacl command.
2
Rule
Severity: Medium
Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the rm command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all modifications to the lastlog file.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the passmass command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chage command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the usermod command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the crontab command.
4
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the delete_module command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all modifications to the faillog file.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.
2
Rule
Severity: Medium
RHEL 9 audit package must be installed.
2
Rule
Severity: Medium
RHEL 9 audit service must be enabled.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of umount system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chacl command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setfacl command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chcon command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the semanage command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setfiles command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the setsebool command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the delete_module system call.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the init_module and finit_module system calls.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chage command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the chsh command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the crontab command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the gpasswd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the kmod command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the newgrp command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the pam_timestamp_check command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the passwd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the postdrop command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the postqueue command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the ssh-agent command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the ssh-keysign command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the su command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the sudo command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the sudoedit command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the unix_chkpwd command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the unix_update command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the userhelper command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the usermod command.
2
Rule
Severity: Medium
RHEL 9 must audit all uses of the mount command.
2
Rule
Severity: Medium
Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.
2
Rule
Severity: Medium
Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
2
Rule
Severity: Medium
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the passwd command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.
2
Rule
Severity: Medium
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the sudoedit command.
2
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the mount system call.
2
Rule
Severity: Low
The SUSE operating system must generate audit records for all uses of the umount system call.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the insmod command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the rmmod command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the modprobe command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the chcon command.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the delete_module system call.
2
Rule
Severity: Medium
The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.
1
Rule
Severity: Medium
The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
1
Rule
Severity: Medium
The macOS system must configure the system to audit all authorization and authentication events.
1
Rule
Severity: Medium
The macOS system must be configured to audit all login and logout events.
1
Rule
Severity: Medium
The macOS system must be configured to audit all failed read actions on the system.
1
Rule
Severity: Medium
The macOS system must be configured to audit all failed write actions on the system.
1
Rule
Severity: Medium
The macOS system must be configured to audit all authorization and authentication events.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.
1
Rule
Severity: Medium
The OL 8 audit package must be installed.
1
Rule
Severity: Medium
SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chage" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chcon" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chfn" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chmod" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for a uses of the "chsh" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "crontab" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "gpasswd" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "insmod" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "kmod" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "modprobe" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "newgrp" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "passwd" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "rm" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "rmmod" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "ssh-agent" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "su" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "sudo" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "sudoedit" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "usermod" command.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "delete_module" system call.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "mount" system call.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all uses of the "umount" system call.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all modifications to the "lastlog" file.
1
Rule
Severity: Medium
SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record.
1
Rule
Severity: Medium
SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.
1
Rule
Severity: Medium
Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules