CCI-003938

AAA Services must be configured to automatically generate audit records of the enforcement actions.

AccessLogValve must be configured for Catalina engine.

The macOS system must be configured to audit all administrative action events.

The macOS system must enable security auditing.

The macOS system must be configured to audit all deletions of object attributes.

The macOS system must be configured to audit all changes of object attributes.

The macOS system must be configured to audit all failed program execution on the system.

The macOS system must configure the system to audit all authorization and authentication events.

The macOS system must be configured to audit all failed read actions on the system.

The macOS system must be configured to audit all failed write actions on the system.

The macOS system must be configured to audit all authorization and authentication events.

The application server must log the enforcement actions used to restrict access associated with changes to the application server.

The application must audit who makes configuration changes to the application.

PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s).

Ubuntu 22.04 LTS must have the "auditd" package installed.

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

The Central Log Server must automatically generate audit records of the enforcement actions.

The container platform must enforce access restrictions and support auditing of the enforcement actions.

The DBMS must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).

The DNS server implementation must automatically generate audit records of the enforcement actions.

The EDB Postgres Advanced Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).

Forescout must audit the enforcement actions used to restrict access associated with changes to the device.

The operating system must audit the enforcement actions used to restrict access associated with changes to the system.

AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.

AIX must be configured to use syslogd to log events by TCPD.

AIX must disable trivial file transfer protocol.

IBM z/OS Required SMF data record types must be collected.

IBM z/OS required SMF data record types must be collected.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Mainframe Product must audit the enforcement actions used to restrict access associated with changes to the application.

MariaDB must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).

MKE must be configured to integrate with an Enterprise Identity Provider.

MarkLogic Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).

Azure SQL Database must produce audit records of its enforcement of access restrictions associated with changes to the configuration of Azure SQL Database(s).

The Exchange local machine policy must require signed scripts.

Exchange software must be monitored for unauthorized changes.

SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s).

The system must be configured to audit Detailed Tracking - PNP Activity successes.

The system must be configured to audit Detailed Tracking - Process Creation successes.

The network device must audit the enforcement actions used to restrict access associated with changes to the device.

The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.

The OL 8 audit package must be installed.

OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

The MySQL Database Server 8.0 must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

OpenShift must enforce access restrictions and support auditing of the enforcement actions.

RHEL 9 audit package must be installed.

RHEL 9 audit service must be enabled.

The SDN controller must be configured to audit the enforcement actions used to restrict access associated with changes to any application within the SDN framework.

The SUSE operating system must have the auditing package installed.

The SUSE operating system must generate audit records for all uses of the privileged functions.

The access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.

The Tanium Server installer's account database permissions must be reduced to an appropriate level.

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

The VMM must audit the enforcement actions used to restrict access associated with changes to the system.

The web server must automatically generate audit records of the enforcement actions.

The Photon operating system must enable the auditd service.

The vCenter PostgreSQL service must have log collection enabled.

The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.