| APPL-14-001003 |
V1R2 |
The macOS system must enable security auditing. |
|
| SLES-12-020010 |
V2R11 |
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
|
| SLES-12-020250 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the su command. |
|
| SLES-12-020260 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the sudo command. |
|
| SLES-12-020280 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chfn command. |
|
| SLES-12-020290 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the mount command. |
|
| SLES-12-020300 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the umount command. |
|
| SLES-12-020310 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the ssh-agent command. |
|
| SLES-12-020320 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the ssh-keysign command. |
|
| SLES-12-020360 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the kmod command. |
|
| SLES-12-020370 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls. |
|
| SLES-12-020420 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls. |
|
| SLES-12-020460 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. |
|
| SLES-12-020490 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls. |
|
| SLES-12-020550 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the passwd command. |
|
| SLES-12-020560 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the gpasswd command. |
|
| SLES-12-020570 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the newgrp command. |
|
| SLES-12-020580 |
V2R11 |
The SUSE operating system must generate audit records for a uses of the chsh command. |
|
| SLES-12-020600 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chmod command. |
|
| SLES-12-020610 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the setfacl command. |
|
| SLES-12-020620 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chacl command. |
|
| SLES-12-020630 |
V2R11 |
Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records. |
|
| SLES-12-020640 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the rm command. |
|
| SLES-12-020650 |
V2R11 |
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. |
|
| SLES-12-020660 |
V2R11 |
The SUSE operating system must generate audit records for all modifications to the lastlog file. |
|
| SLES-12-020670 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the passmass command. |
|
| SLES-12-020680 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the unix_chkpwd command. |
|
| SLES-12-020690 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the chage command. |
|
| SLES-12-020700 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the usermod command. |
|
| SLES-12-020710 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the crontab command. |
|
| SLES-12-020720 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. |
|
| SLES-12-020730 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the delete_module command. |
|
| SLES-12-020740 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls. |
|
| SLES-12-020760 |
V2R11 |
The SUSE operating system must generate audit records for all modifications to the faillog file. |
|
| SLES-12-020411 |
V2R11 |
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls. |
|
| SLES-15-030050 |
V1R12 |
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
|
| SLES-15-030060 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the ssh-keysign command. |
|
| SLES-15-030070 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the passwd command. |
|
| SLES-15-030080 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the gpasswd command. |
|
| SLES-15-030090 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the newgrp command. |
|
| SLES-15-030100 |
V1R12 |
The SUSE operating system must generate audit records for a uses of the chsh command. |
|
| SLES-15-030110 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands. |
|
| SLES-15-030120 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chage command. |
|
| SLES-15-030130 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the crontab command. |
|
| SLES-15-030140 |
V1R12 |
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. |
|
| SLES-15-030150 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. |
|
| SLES-15-030190 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. |
|
| SLES-15-030250 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls. |
|
| SLES-15-030290 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. |
|
| SLES-15-030330 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the sudoedit command. |
|
| SLES-15-030340 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chfn command. |
|
| SLES-15-030350 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the mount system call. |
|
| SLES-15-030360 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the umount system call. |
|
| SLES-15-030370 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the ssh-agent command. |
|
| SLES-15-030380 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the insmod command. |
|
| SLES-15-030390 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the rmmod command. |
|
| SLES-15-030400 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the modprobe command. |
|
| SLES-15-030410 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the kmod command. |
|
| SLES-15-030420 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chmod command. |
|
| SLES-15-030430 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the setfacl command. |
|
| SLES-15-030440 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chacl command. |
|
| SLES-15-030450 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the chcon command. |
|
| SLES-15-030460 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the rm command. |
|
| SLES-15-030470 |
V1R12 |
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. |
|
| SLES-15-030480 |
V1R12 |
The SUSE operating system must generate audit records for all modifications to the lastlog file. |
|
| SLES-15-030490 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the passmass command. |
|
| SLES-15-030500 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the usermod command. |
|
| SLES-15-030510 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. |
|
| SLES-15-030520 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the delete_module system call. |
|
| SLES-15-030530 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls. |
|
| SLES-15-030550 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the su command. |
|
| SLES-15-030560 |
V1R12 |
The SUSE operating system must generate audit records for all uses of the sudo command. |
|
| WN11-AU-000550 |
V2R2 |
Windows 11 must be configured to audit Other Policy Change Events Successes. |
|
| WN11-AU-000555 |
V2R2 |
Windows 11 must be configured to audit Other Policy Change Events Failures. |
|
| WN11-AU-000560 |
V2R2 |
Windows 11 must be configured to audit other Logon/Logoff Events Successes. |
|
| WN11-AU-000565 |
V2R2 |
Windows 11 must be configured to audit other Logon/Logoff Events Failures. |
|
| WN11-AU-000570 |
V2R2 |
Windows 11 must be configured to audit Detailed File Share Failures. |
|
| WN11-AU-000575 |
V2R2 |
Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes. |
|
| WN11-AU-000580 |
V2R2 |
Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures. |
|
| WN11-AU-000585 |
V2R2 |
Windows 11 must have command line process auditing events enabled for failures. |
|
| WN10-AU-000555 |
V3R2 |
Windows 10 must be configured to audit Other Policy Change Events Failures. |
|
| WN10-AU-000560 |
V3R2 |
Windows 10 must be configured to audit other Logon/Logoff Events Successes. |
|
| WN10-AU-000565 |
V3R2 |
Windows 10 must be configured to audit other Logon/Logoff Events Failures. |
|
| WN10-AU-000570 |
V3R2 |
Windows 10 must be configured to audit Detailed File Share Failures. |
|
| WN10-AU-000575 |
V3R2 |
Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes. |
|
| WN10-AU-000580 |
V3R2 |
Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures. |
|
| WN10-AU-000585 |
V3R2 |
Windows 10 must have command line process auditing events enabled for failures. |
|
| UBTU-22-653010 |
V2R2 |
Ubuntu 22.04 LTS must have the "auditd" package installed. |
|
| UBTU-22-653015 |
V2R2 |
Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time. |
|
| RHEL-07-030680 |
V3R6 |
The Red Hat Enterprise Linux operating system must audit all uses of the su command. |
|
| RHEL-07-030690 |
V3R6 |
The Red Hat Enterprise Linux operating system must audit all uses of the sudo command. |
|
| RHEL-07-030700 |
V3R6 |
The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. |
|
| RHEL-07-030710 |
V3R6 |
The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command. |
|
| RHEL-07-030720 |
V3R6 |
The Red Hat Enterprise Linux operating system must audit all uses of the chsh command. |
|
| RHEL-09-212055 |
V1R3 |
RHEL 9 must enable auditing of processes that start prior to the audit daemon. |
|
| RHEL-09-654015 |
V1R3 |
RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. |
|
| RHEL-09-654020 |
V1R3 |
RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. |
|
| RHEL-09-654025 |
V1R3 |
RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. |
|
| RHEL-09-654030 |
V1R3 |
RHEL 9 must audit all uses of umount system calls. |
|
| RHEL-09-654035 |
V1R3 |
RHEL 9 must audit all uses of the chacl command. |
|
| RHEL-09-654040 |
V1R3 |
RHEL 9 must audit all uses of the setfacl command. |
|
| RHEL-09-654045 |
V1R3 |
RHEL 9 must audit all uses of the chcon command. |
|
| RHEL-09-654050 |
V1R3 |
RHEL 9 must audit all uses of the semanage command. |
|
| RHEL-09-654055 |
V1R3 |
RHEL 9 must audit all uses of the setfiles command. |
|
| RHEL-09-654060 |
V1R3 |
RHEL 9 must audit all uses of the setsebool command. |
|
| RHEL-09-654065 |
V1R3 |
RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. |
|
| RHEL-09-654070 |
V1R3 |
RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. |
|
| RHEL-09-654075 |
V1R3 |
RHEL 9 must audit all uses of the delete_module system call. |
|
| RHEL-09-654080 |
V1R3 |
RHEL 9 must audit all uses of the init_module and finit_module system calls. |
|
| RHEL-09-654085 |
V1R3 |
RHEL 9 must audit all uses of the chage command. |
|
| RHEL-09-654090 |
V1R3 |
RHEL 9 must audit all uses of the chsh command. |
|
| RHEL-09-654095 |
V1R3 |
RHEL 9 must audit all uses of the crontab command. |
|
| RHEL-09-654100 |
V1R3 |
RHEL 9 must audit all uses of the gpasswd command. |
|
| RHEL-09-654105 |
V1R3 |
RHEL 9 must audit all uses of the kmod command. |
|
| RHEL-09-654110 |
V1R3 |
RHEL 9 must audit all uses of the newgrp command. |
|
| RHEL-09-654115 |
V1R3 |
RHEL 9 must audit all uses of the pam_timestamp_check command. |
|
| RHEL-09-654120 |
V1R3 |
RHEL 9 must audit all uses of the passwd command. |
|
| RHEL-09-654125 |
V1R3 |
RHEL 9 must audit all uses of the postdrop command. |
|
| RHEL-09-654130 |
V1R3 |
RHEL 9 must audit all uses of the postqueue command. |
|
| RHEL-09-654135 |
V1R3 |
RHEL 9 must audit all uses of the ssh-agent command. |
|
| RHEL-09-654140 |
V1R3 |
RHEL 9 must audit all uses of the ssh-keysign command. |
|
| RHEL-09-654145 |
V1R3 |
RHEL 9 must audit all uses of the su command. |
|
| RHEL-09-654150 |
V1R3 |
RHEL 9 must audit all uses of the sudo command. |
|
| RHEL-09-654155 |
V1R3 |
RHEL 9 must audit all uses of the sudoedit command. |
|
| RHEL-09-654160 |
V1R3 |
RHEL 9 must audit all uses of the unix_chkpwd command. |
|
| RHEL-09-654165 |
V1R3 |
RHEL 9 must audit all uses of the unix_update command. |
|
| RHEL-09-654170 |
V1R3 |
RHEL 9 must audit all uses of the userhelper command. |
|
| RHEL-09-654175 |
V1R3 |
RHEL 9 must audit all uses of the usermod command. |
|
| RHEL-09-654180 |
V1R3 |
RHEL 9 must audit all uses of the mount command. |
|
| RHEL-09-654205 |
V1R3 |
Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. |
|
| RHEL-09-654210 |
V1R3 |
Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. |
|
| RHEL-09-654255 |
V1R3 |
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. |
|
| OL08-00-030180 |
V1R3 |
The OL 8 audit package must be installed. |
|
| OL08-00-030181 |
V1R3 |
OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
|
| OL08-00-030190 |
V1R3 |
OL 8 must generate audit records for any use of the "su" command. |
|
| OL08-00-030200 |
V1R3 |
The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. |
|
| OL08-00-030250 |
V1R3 |
OL 8 must generate audit records for any use of the "chage" command. |
|
| OL08-00-030260 |
V1R3 |
OL 8 must generate audit records for any uses of the "chcon" command. |
|
| OL08-00-030280 |
V1R3 |
OL 8 must generate audit records for any use of the "ssh-agent" command. |
|
| OL08-00-030290 |
V1R3 |
OL 8 must generate audit records for any use of the "passwd" command. |
|
| OL08-00-030300 |
V1R3 |
OL 8 must generate audit records for any use of the "mount" command. |
|
| OL08-00-030301 |
V1R3 |
OL 8 must generate audit records for any use of the "umount" command. |
|
| OL08-00-030302 |
V1R3 |
OL 8 must generate audit records for any use of the "mount" syscall. |
|
| OL08-00-030310 |
V1R3 |
OL 8 must generate audit records for any use of the "unix_update" command. |
|
| OL08-00-030311 |
V1R3 |
OL 8 must generate audit records for any use of the "postdrop" command. |
|
| OL08-00-030312 |
V1R3 |
OL 8 must generate audit records for any use of the "postqueue" command. |
|
| OL08-00-030316 |
V1R3 |
OL 8 must generate audit records for any use of the "setsebool" command. |
|
| OL08-00-030317 |
V1R3 |
OL 8 must generate audit records for any use of the "unix_chkpwd" command. |
|
| OL08-00-030320 |
V1R3 |
OL 8 must generate audit records for any use of the "ssh-keysign" command. |
|
| OL08-00-030330 |
V1R3 |
OL 8 must generate audit records for any use of the "setfacl" command. |
|
| OL08-00-030340 |
V1R3 |
OL 8 must generate audit records for any use of the "pam_timestamp_check" command. |
|
| OL08-00-030350 |
V1R3 |
OL 8 must generate audit records for any use of the "newgrp" command. |
|
| OL08-00-030360 |
V1R3 |
OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls. |
|
| OL08-00-030361 |
V1R3 |
OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls. |
|
| OL08-00-030370 |
V1R3 |
OL 8 must generate audit records for any use of the "gpasswd" command. |
|
| OL08-00-030390 |
V1R3 |
OL 8 must generate audit records for any use of the delete_module syscall. |
|
| OL08-00-030400 |
V1R3 |
OL 8 must generate audit records for any use of the "crontab" command. |
|
| OL08-00-030410 |
V1R3 |
OL 8 must generate audit records for any use of the "chsh" command. |
|
| OL08-00-030420 |
V1R3 |
OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. |
|
| OL08-00-030480 |
V1R3 |
OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls. |
|
| OL08-00-030490 |
V1R3 |
OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls. |
|
| OL08-00-030550 |
V1R3 |
OL 8 must generate audit records for any use of the "sudo" command. |
|
| OL08-00-030560 |
V1R3 |
OL 8 must generate audit records for any use of the "usermod" command. |
|
| OL08-00-030570 |
V1R3 |
OL 8 must generate audit records for any use of the "chacl" command. |
|
| OL08-00-030580 |
V1R3 |
OL 8 must generate audit records for any use of the "kmod" command. |
|
| OL08-00-030590 |
V1R3 |
OL 8 must generate audit records for any attempted modifications to the "faillock" log file. |
|
| OL08-00-030600 |
V1R3 |
OL 8 must generate audit records for any attempted modifications to the "lastlog" file. |
|
| OL08-00-030601 |
V1R3 |
OL 8 must enable auditing of processes that start prior to the audit daemon. |
|
| OL08-00-030602 |
V1R3 |
OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon. |
|
| OL07-00-030680 |
V2R11 |
The Oracle Linux operating system must audit all uses of the su command. |
|
| OL07-00-030690 |
V2R11 |
The Oracle Linux operating system must audit all uses of the sudo command. |
|
| OL07-00-030700 |
V2R11 |
The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. |
|
| OL07-00-030710 |
V2R11 |
The Oracle Linux operating system must audit all uses of the newgrp command. |
|
| OL07-00-030720 |
V2R11 |
The Oracle Linux operating system must audit all uses of the chsh command. |
|