| RHEL-08-030130 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
|
| RHEL-08-030140 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. |
|
| RHEL-08-030150 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
|
| RHEL-08-030160 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
|
| RHEL-08-030170 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
|
| RHEL-08-030171 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
|
| RHEL-08-030172 |
V1R3 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. |
|
| RHEL-08-030180 |
V1R3 |
The RHEL 8 audit package must be installed. |
|
| RHEL-08-030190 |
V1R3 |
Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030200 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call. |
|
| RHEL-08-030210 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the removexattr system call. |
|
| RHEL-08-030220 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call. |
|
| RHEL-08-030230 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call. |
|
| RHEL-08-030240 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call. |
|
| RHEL-08-030250 |
V1R3 |
Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030260 |
V1R3 |
Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030270 |
V1R3 |
The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. |
|
| RHEL-08-030280 |
V1R3 |
Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. |
|
| RHEL-08-030290 |
V1R3 |
Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030300 |
V1R3 |
Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030301 |
V1R3 |
Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030302 |
V1R3 |
Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. |
|
| RHEL-08-030310 |
V1R3 |
Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. |
|
| RHEL-08-030311 |
V1R3 |
Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. |
|
| RHEL-08-030312 |
V1R3 |
Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. |
|
| RHEL-08-030313 |
V1R3 |
Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. |
|
| RHEL-08-030314 |
V1R3 |
Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. |
|
| RHEL-08-030315 |
V1R3 |
Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. |
|
| RHEL-08-030316 |
V1R3 |
Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. |
|
| RHEL-08-030317 |
V1R3 |
Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. |
|
| RHEL-08-030320 |
V1R3 |
Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. |
|
| RHEL-08-030330 |
V1R3 |
Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030340 |
V1R3 |
Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030350 |
V1R3 |
Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030360 |
V1R3 |
Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030361 |
V1R3 |
Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030362 |
V1R3 |
Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030363 |
V1R3 |
Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030364 |
V1R3 |
Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030365 |
V1R3 |
Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030370 |
V1R3 |
Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030380 |
V1R3 |
Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030390 |
V1R3 |
Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030400 |
V1R3 |
Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030410 |
V1R3 |
Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030420 |
V1R3 |
Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030430 |
V1R3 |
Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030440 |
V1R3 |
Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030450 |
V1R3 |
Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030460 |
V1R3 |
Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030470 |
V1R3 |
Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030480 |
V1R3 |
Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030490 |
V1R3 |
Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030500 |
V1R3 |
Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030510 |
V1R3 |
Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030520 |
V1R3 |
Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030530 |
V1R3 |
Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030540 |
V1R3 |
Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record. |
|
| RHEL-08-030550 |
V1R3 |
Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030560 |
V1R3 |
Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030570 |
V1R3 |
Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030580 |
V1R3 |
Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. |
|
| RHEL-08-030590 |
V1R3 |
Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. |
|
| RHEL-08-030600 |
V1R3 |
Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. |
|
| RHEL-08-030601 |
V1R3 |
RHEL 8 must enable auditing of processes that start prior to the audit daemon. |
|
| RHEL-08-030603 |
V1R3 |
RHEL 8 must enable Linux audit logging for the USBGuard daemon. |
|
| RHEL-08-030181 |
V1R3 |
RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
|
| WN11-SO-000030 |
V2R2 |
Audit policy using subcategories must be enabled. |
|
| WN10-SO-000030 |
V3R2 |
Audit policy using subcategories must be enabled. |
|
| WN19-SO-000050 |
V3R2 |
Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings. |
|
| WN16-SO-000050 |
V2R7 |
Audit policy using subcategories must be enabled. |
|
| WN22-SO-000050 |
V1R4 |
Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings. |
|
| RHEL-09-291025 |
V1R3 |
RHEL 9 must enable Linux audit logging for the USBGuard daemon. |
|
| RHEL-09-653010 |
V1R3 |
RHEL 9 audit package must be installed. |
|
| RHEL-09-653015 |
V1R3 |
RHEL 9 audit service must be enabled. |
|
| RHEL-09-653075 |
V1R3 |
RHEL 9 audit system must audit local events. |
|
| OL08-00-030313 |
V1R3 |
OL 8 must generate audit records for any use of the "semanage" command. |
|
| OL08-00-030314 |
V1R3 |
OL 8 must generate audit records for any use of the "setfiles" command. |
|
| OL08-00-030315 |
V1R3 |
OL 8 must generate audit records for any use of the "userhelper" command. |
|