SRG-OS-000037-GPOS-00015 Controls

STIG IDVersionTitleProduct
ALMA-09-047100V1R4The audit package must be installed on AlmaLinux OS 9.AlmaLinux OS 9
ALMA-09-047540V1R4AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.AlmaLinux OS 9
ALMA-09-047650V1R4AlmaLinux OS 9 must generate audit records for any use of the "mount" command.AlmaLinux OS 9
ALMA-09-047760V1R4AlmaLinux OS 9 must generate audit records for any use of the "umount" command.AlmaLinux OS 9
ALMA-09-047870V1R4Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.AlmaLinux OS 9
ALMA-09-047980V1R4AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.AlmaLinux OS 9
ALMA-09-048090V1R4AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.AlmaLinux OS 9
ALMA-09-048200V1R4AlmaLinux OS 9 must generate audit records for any use of the "chacl" command.AlmaLinux OS 9
ALMA-09-048310V1R4AlmaLinux OS 9 must generate audit records for any use of the "chage" command.AlmaLinux OS 9
ALMA-09-048420V1R4AlmaLinux OS 9 must generate audit records for any use of the "chcon" command.AlmaLinux OS 9
ALMA-09-048530V1R4AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.AlmaLinux OS 9
ALMA-09-048640V1R4AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.AlmaLinux OS 9
ALMA-09-048750V1R4AlmaLinux OS 9 must generate audit records for any use of the "chsh" command.AlmaLinux OS 9
ALMA-09-048860V1R4AlmaLinux OS 9 must generate audit records for any use of the "crontab" command.AlmaLinux OS 9
ALMA-09-048970V1R4AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.AlmaLinux OS 9
ALMA-09-049190V1R4AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.AlmaLinux OS 9
ALMA-09-049300V1R4AlmaLinux OS 9 must audit all uses of the kmod command.AlmaLinux OS 9
ALMA-09-049410V1R4AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.AlmaLinux OS 9
ALMA-09-049520V1R4AlmaLinux OS 9 must generate audit records for any use of the "passwd" command.AlmaLinux OS 9
ALMA-09-049630V1R4AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.AlmaLinux OS 9
ALMA-09-049740V1R4AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.AlmaLinux OS 9
ALMA-09-049850V1R4AlmaLinux OS 9 must generate audit records for any use of the "su" command.AlmaLinux OS 9
ALMA-09-049960V1R4AlmaLinux OS 9 must generate audit records for any use of the "sudo" command.AlmaLinux OS 9
ALMA-09-050070V1R4AlmaLinux OS 9 must generate audit records for any use of the "semanage" command.AlmaLinux OS 9
ALMA-09-050180V1R4AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.AlmaLinux OS 9
ALMA-09-050290V1R4AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.AlmaLinux OS 9
ALMA-09-050400V1R4AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.AlmaLinux OS 9
ALMA-09-050510V1R4AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.AlmaLinux OS 9
ALMA-09-050620V1R4AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.AlmaLinux OS 9
ALMA-09-050730V1R4AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.AlmaLinux OS 9
ALMA-09-050840V1R4AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.AlmaLinux OS 9
ALMA-09-050950V1R4AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.AlmaLinux OS 9
ALMA-09-051060V1R4AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.AlmaLinux OS 9
ALMA-09-051170V1R4AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.AlmaLinux OS 9
ALMA-09-051280V1R4AlmaLinux OS 9 must generate audit records for any use of the "usermod" command.AlmaLinux OS 9
ALMA-09-051390V1R4AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.AlmaLinux OS 9
APPL-13-001003V1R5The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.macOS 13 - Ventura
APPL-14-001003V2R4The macOS system must enable security auditing.macOS 14 - Sonoma
APPL-15-001003V1R5The macOS system must enable security auditing.macOS 15 - Sequoia
OL07-00-030680V3R3The Oracle Linux operating system must audit all uses of the su command.Oracle Linux 7
OL07-00-030690V3R3The Oracle Linux operating system must audit all uses of the sudo command.Oracle Linux 7
OL07-00-030700V3R3The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.Oracle Linux 7
OL07-00-030710V3R3The Oracle Linux operating system must audit all uses of the newgrp command.Oracle Linux 7
OL07-00-030720V3R3The Oracle Linux operating system must audit all uses of the chsh command.Oracle Linux 7
OL08-00-030180V2R6The OL 8 audit package must be installed.Oracle Linux 8
OL08-00-030181V2R6OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.Oracle Linux 8
OL08-00-030190V2R6OL 8 must generate audit records for any use of the "su" command.Oracle Linux 8
OL08-00-030200V2R6The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.Oracle Linux 8
OL08-00-030250V2R6OL 8 must generate audit records for any use of the "chage" command.Oracle Linux 8
OL08-00-030260V2R6OL 8 must generate audit records for any uses of the "chcon" command.Oracle Linux 8
OL08-00-030280V2R6OL 8 must generate audit records for any use of the "ssh-agent" command.Oracle Linux 8
OL08-00-030290V2R6OL 8 must generate audit records for any use of the "passwd" command.Oracle Linux 8
OL08-00-030300V2R6OL 8 must generate audit records for any use of the "mount" command.Oracle Linux 8
OL08-00-030301V2R6OL 8 must generate audit records for any use of the "umount" command.Oracle Linux 8
OL08-00-030302V2R6OL 8 must generate audit records for any use of the "mount" syscall.Oracle Linux 8
OL08-00-030310V2R6OL 8 must generate audit records for any use of the "unix_update" command.Oracle Linux 8
OL08-00-030311V2R6OL 8 must generate audit records for any use of the "postdrop" command.Oracle Linux 8
OL08-00-030312V2R6OL 8 must generate audit records for any use of the "postqueue" command.Oracle Linux 8
OL08-00-030316V2R6OL 8 must generate audit records for any use of the "setsebool" command.Oracle Linux 8
OL08-00-030317V2R6OL 8 must generate audit records for any use of the "unix_chkpwd" command.Oracle Linux 8
OL08-00-030320V2R6OL 8 must generate audit records for any use of the "ssh-keysign" command.Oracle Linux 8
OL08-00-030330V2R6OL 8 must generate audit records for any use of the "setfacl" command.Oracle Linux 8
OL08-00-030340V2R6OL 8 must generate audit records for any use of the "pam_timestamp_check" command.Oracle Linux 8
OL08-00-030350V2R6OL 8 must generate audit records for any use of the "newgrp" command.Oracle Linux 8
OL08-00-030360V2R6OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.Oracle Linux 8
OL08-00-030361V2R6OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.Oracle Linux 8
OL08-00-030370V2R6OL 8 must generate audit records for any use of the "gpasswd" command.Oracle Linux 8
OL08-00-030390V2R6OL 8 must generate audit records for any use of the delete_module syscall.Oracle Linux 8
OL08-00-030400V2R6OL 8 must generate audit records for any use of the "crontab" command.Oracle Linux 8
OL08-00-030410V2R6OL 8 must generate audit records for any use of the "chsh" command.Oracle Linux 8
OL08-00-030420V2R6OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.Oracle Linux 8
OL08-00-030480V2R6OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.Oracle Linux 8
OL08-00-030490V2R6OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.Oracle Linux 8
OL08-00-030550V2R6OL 8 must generate audit records for any use of the "sudo" command.Oracle Linux 8
OL08-00-030560V2R6OL 8 must generate audit records for any use of the "usermod" command.Oracle Linux 8
OL08-00-030570V2R6OL 8 must generate audit records for any use of the "chacl" command.Oracle Linux 8
OL08-00-030580V2R6OL 8 must generate audit records for any use of the "kmod" command.Oracle Linux 8
OL08-00-030590V2R6OL 8 must generate audit records for any attempted modifications to the "faillock" log file.Oracle Linux 8
OL08-00-030600V2R6OL 8 must generate audit records for any attempted modifications to the "lastlog" file.Oracle Linux 8
OL08-00-030601V2R6OL 8 must enable auditing of processes that start prior to the audit daemon.Oracle Linux 8
OL08-00-030602V2R6OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.Oracle Linux 8
OL09-00-000535V1R3OL 9 must audit all uses of the unix_update command.Oracle Linux 9
OL09-00-000540V1R3OL 9 must audit all uses of the su command.Oracle Linux 9
OL09-00-000545V1R3OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.Oracle Linux 9
OL09-00-000550V1R3OL 9 must audit all uses of the chage command.Oracle Linux 9
OL09-00-000555V1R3OL 9 must audit all uses of the chcon command.Oracle Linux 9
OL09-00-000560V1R3OL 9 must audit all uses of the setfacl command.Oracle Linux 9
OL09-00-000565V1R3OL 9 must audit all uses of the chsh command.Oracle Linux 9
OL09-00-000570V1R3OL 9 must audit all uses of the crontab command.Oracle Linux 9
OL09-00-000575V1R3OL 9 must audit all uses of the gpasswd command.Oracle Linux 9
OL09-00-000580V1R3OL 9 must audit all uses of the newgrp command.Oracle Linux 9
OL09-00-000585V1R3OL 9 must audit all uses of the pam_timestamp_check command.Oracle Linux 9
OL09-00-000590V1R3OL 9 must audit all uses of the passwd command.Oracle Linux 9
OL09-00-000595V1R3OL 9 must audit all uses of the postdrop command.Oracle Linux 9
OL09-00-000600V1R3OL 9 must audit all uses of the postqueue command.Oracle Linux 9
OL09-00-000605V1R3OL 9 must audit all uses of the ssh-agent command.Oracle Linux 9
OL09-00-000610V1R3OL 9 must audit all uses of the ssh-keysign command.Oracle Linux 9
OL09-00-000615V1R3OL 9 must audit all uses of the sudoedit command.Oracle Linux 9
OL09-00-000620V1R3OL 9 must audit all uses of the unix_chkpwd command.Oracle Linux 9
OL09-00-000625V1R3OL 9 must audit all uses of the userhelper command.Oracle Linux 9
OL09-00-000630V1R3OL 9 must audit all uses of the mount command.Oracle Linux 9
OL09-00-000635V1R3OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.Oracle Linux 9
OL09-00-000640V1R3OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.Oracle Linux 9
OL09-00-000645V1R3OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.Oracle Linux 9
OL09-00-000650V1R3OL 9 must audit all uses of the semanage command.Oracle Linux 9
OL09-00-000655V1R3OL 9 must audit all uses of the setfiles command.Oracle Linux 9
OL09-00-000660V1R3OL 9 must audit all uses of the setsebool command.Oracle Linux 9
OL09-00-000665V1R3OL 9 must audit all uses of the chacl command.Oracle Linux 9
OL09-00-000670V1R3OL 9 must audit all uses of the sudo command.Oracle Linux 9
OL09-00-000675V1R3OL 9 must audit all uses of the usermod command.Oracle Linux 9
OL09-00-000680V1R3OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.Oracle Linux 9
OL09-00-000685V1R3OL 9 must audit all uses of the delete_module system call.Oracle Linux 9
OL09-00-000690V1R3OL 9 must audit all uses of the init_module and finit_module system calls.Oracle Linux 9
OL09-00-000695V1R3OL 9 must audit all uses of the kmod command.Oracle Linux 9
OL09-00-000700V1R3OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.Oracle Linux 9
OL09-00-000705V1R3OL 9 must audit all uses of umount system calls.Oracle Linux 9
OL09-00-000750V1R3OL 9 must enable auditing of processes that start prior to the audit daemon.Oracle Linux 9
OL09-00-000840V1R3OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.Oracle Linux 9
OL09-00-000845V1R3OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record.Oracle Linux 9
OL09-00-002584V1R3OL 9 must audit any script or executable called by cron as root or by any privileged user.Oracle Linux 9
RHEL-07-030680V3R9The Red Hat Enterprise Linux operating system must audit all uses of the su command.Red Hat Enterprise Linux 7
RHEL-07-030690V3R9The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.Red Hat Enterprise Linux 7
RHEL-07-030700V3R9The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.Red Hat Enterprise Linux 7
RHEL-07-030710V3R9The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.Red Hat Enterprise Linux 7
RHEL-07-030720V3R9The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.Red Hat Enterprise Linux 7
RHEL-09-212055V2R6RHEL 9 must enable auditing of processes that start prior to the audit daemon.Red Hat Enterprise Linux 9
RHEL-09-654015V2R6RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.Red Hat Enterprise Linux 9
RHEL-09-654020V2R6RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.Red Hat Enterprise Linux 9
RHEL-09-654025V2R6RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.Red Hat Enterprise Linux 9
RHEL-09-654030V2R6RHEL 9 must audit all uses of umount system calls.Red Hat Enterprise Linux 9
RHEL-09-654035V2R6RHEL 9 must audit all uses of the chacl command.Red Hat Enterprise Linux 9
RHEL-09-654040V2R6RHEL 9 must audit all uses of the setfacl command.Red Hat Enterprise Linux 9
RHEL-09-654045V2R6RHEL 9 must audit all uses of the chcon command.Red Hat Enterprise Linux 9
RHEL-09-654050V2R6RHEL 9 must audit all uses of the semanage command.Red Hat Enterprise Linux 9
RHEL-09-654055V2R6RHEL 9 must audit all uses of the setfiles command.Red Hat Enterprise Linux 9
RHEL-09-654060V2R6RHEL 9 must audit all uses of the setsebool command.Red Hat Enterprise Linux 9
RHEL-09-654065V2R6RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.Red Hat Enterprise Linux 9
RHEL-09-654070V2R6RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.Red Hat Enterprise Linux 9
RHEL-09-654075V2R6RHEL 9 must audit all uses of the delete_module system call.Red Hat Enterprise Linux 9
RHEL-09-654080V2R6RHEL 9 must audit all uses of the init_module and finit_module system calls.Red Hat Enterprise Linux 9
RHEL-09-654085V2R6RHEL 9 must audit all uses of the chage command.Red Hat Enterprise Linux 9
RHEL-09-654090V2R6RHEL 9 must audit all uses of the chsh command.Red Hat Enterprise Linux 9
RHEL-09-654095V2R6RHEL 9 must audit all uses of the crontab command.Red Hat Enterprise Linux 9
RHEL-09-654100V2R6RHEL 9 must audit all uses of the gpasswd command.Red Hat Enterprise Linux 9
RHEL-09-654105V2R6RHEL 9 must audit all uses of the kmod command.Red Hat Enterprise Linux 9
RHEL-09-654110V2R6RHEL 9 must audit all uses of the newgrp command.Red Hat Enterprise Linux 9
RHEL-09-654115V2R6RHEL 9 must audit all uses of the pam_timestamp_check command.Red Hat Enterprise Linux 9
RHEL-09-654120V2R6RHEL 9 must audit all uses of the passwd command.Red Hat Enterprise Linux 9
RHEL-09-654125V2R6RHEL 9 must audit all uses of the postdrop command.Red Hat Enterprise Linux 9
RHEL-09-654130V2R6RHEL 9 must audit all uses of the postqueue command.Red Hat Enterprise Linux 9
RHEL-09-654135V2R6RHEL 9 must audit all uses of the ssh-agent command.Red Hat Enterprise Linux 9
RHEL-09-654140V2R6RHEL 9 must audit all uses of the ssh-keysign command.Red Hat Enterprise Linux 9
RHEL-09-654145V2R6RHEL 9 must audit all uses of the su command.Red Hat Enterprise Linux 9
RHEL-09-654150V2R6RHEL 9 must audit all uses of the sudo command.Red Hat Enterprise Linux 9
RHEL-09-654155V2R6RHEL 9 must audit all uses of the sudoedit command.Red Hat Enterprise Linux 9
RHEL-09-654160V2R6RHEL 9 must audit all uses of the unix_chkpwd command.Red Hat Enterprise Linux 9
RHEL-09-654165V2R6RHEL 9 must audit all uses of the unix_update command.Red Hat Enterprise Linux 9
RHEL-09-654170V2R6RHEL 9 must audit all uses of the userhelper command.Red Hat Enterprise Linux 9
RHEL-09-654175V2R6RHEL 9 must audit all uses of the usermod command.Red Hat Enterprise Linux 9
RHEL-09-654180V2R6RHEL 9 must audit all uses of the mount command.Red Hat Enterprise Linux 9
RHEL-09-654205V2R6Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.Red Hat Enterprise Linux 9
RHEL-09-654210V2R6Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.Red Hat Enterprise Linux 9
RHEL-09-654255V2R6RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.Red Hat Enterprise Linux 9
SLES-12-020010V3R2SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise 12
SLES-12-020250V3R2The SUSE operating system must generate audit records for all uses of the su command.SUSE Linux Enterprise 12
SLES-12-020260V3R2The SUSE operating system must generate audit records for all uses of the sudo command.SUSE Linux Enterprise 12
SLES-12-020280V3R2The SUSE operating system must generate audit records for all uses of the chfn command.SUSE Linux Enterprise 12
SLES-12-020290V3R2The SUSE operating system must generate audit records for all uses of the mount command.SUSE Linux Enterprise 12
SLES-12-020300V3R2The SUSE operating system must generate audit records for all uses of the umount command.SUSE Linux Enterprise 12
SLES-12-020310V3R2The SUSE operating system must generate audit records for all uses of the ssh-agent command.SUSE Linux Enterprise 12
SLES-12-020320V3R2The SUSE operating system must generate audit records for all uses of the ssh-keysign command.SUSE Linux Enterprise 12
SLES-12-020360V3R2The SUSE operating system must generate audit records for all uses of the kmod command.SUSE Linux Enterprise 12
SLES-12-020370V3R2The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.SUSE Linux Enterprise 12
SLES-12-020420V3R2The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.SUSE Linux Enterprise 12
SLES-12-020460V3R2The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.SUSE Linux Enterprise 12
SLES-12-020490V3R2The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.SUSE Linux Enterprise 12
SLES-12-020550V3R2The SUSE operating system must generate audit records for all uses of the passwd command.SUSE Linux Enterprise 12
SLES-12-020560V3R2The SUSE operating system must generate audit records for all uses of the gpasswd command.SUSE Linux Enterprise 12
SLES-12-020570V3R2The SUSE operating system must generate audit records for all uses of the newgrp command.SUSE Linux Enterprise 12
SLES-12-020580V3R2The SUSE operating system must generate audit records for a uses of the chsh command.SUSE Linux Enterprise 12
SLES-12-020600V3R2The SUSE operating system must generate audit records for all uses of the chmod command.SUSE Linux Enterprise 12
SLES-12-020610V3R2The SUSE operating system must generate audit records for all uses of the setfacl command.SUSE Linux Enterprise 12
SLES-12-020620V3R2The SUSE operating system must generate audit records for all uses of the chacl command.SUSE Linux Enterprise 12
SLES-12-020630V3R2Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.SUSE Linux Enterprise 12
SLES-12-020640V3R2The SUSE operating system must generate audit records for all uses of the rm command.SUSE Linux Enterprise 12
SLES-12-020650V3R2The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.SUSE Linux Enterprise 12
SLES-12-020660V3R2The SUSE operating system must generate audit records for all modifications to the lastlog file.SUSE Linux Enterprise 12
SLES-12-020670V3R2The SUSE operating system must generate audit records for all uses of the passmass command.SUSE Linux Enterprise 12
SLES-12-020680V3R2The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.SUSE Linux Enterprise 12
SLES-12-020690V3R2The SUSE operating system must generate audit records for all uses of the chage command.SUSE Linux Enterprise 12
SLES-12-020700V3R2The SUSE operating system must generate audit records for all uses of the usermod command.SUSE Linux Enterprise 12
SLES-12-020710V3R2The SUSE operating system must generate audit records for all uses of the crontab command.SUSE Linux Enterprise 12
SLES-12-020720V3R2The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.SUSE Linux Enterprise 12
SLES-12-020730V3R2The SUSE operating system must generate audit records for all uses of the delete_module command.SUSE Linux Enterprise 12
SLES-12-020740V3R2The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.SUSE Linux Enterprise 12
SLES-12-020760V3R2The SUSE operating system must generate audit records for all modifications to the faillog file.SUSE Linux Enterprise 12
SLES-12-020411V3R2The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.SUSE Linux Enterprise 12
SLES-15-030050V2R4SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise 15
SLES-15-030060V2R4The SUSE operating system must generate audit records for all uses of the ssh-keysign command.SUSE Linux Enterprise 15
SLES-15-030070V2R4The SUSE operating system must generate audit records for all uses of the passwd command.SUSE Linux Enterprise 15
SLES-15-030080V2R4The SUSE operating system must generate audit records for all uses of the gpasswd command.SUSE Linux Enterprise 15
SLES-15-030090V2R4The SUSE operating system must generate audit records for all uses of the newgrp command.SUSE Linux Enterprise 15
SLES-15-030100V2R4The SUSE operating system must generate audit records for a uses of the chsh command.SUSE Linux Enterprise 15
SLES-15-030110V2R4The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.SUSE Linux Enterprise 15
SLES-15-030120V2R4The SUSE operating system must generate audit records for all uses of the chage command.SUSE Linux Enterprise 15
SLES-15-030130V2R4The SUSE operating system must generate audit records for all uses of the crontab command.SUSE Linux Enterprise 15
SLES-15-030140V2R4The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.SUSE Linux Enterprise 15
SLES-15-030150V2R4The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.SUSE Linux Enterprise 15
SLES-15-030190V2R4The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.SUSE Linux Enterprise 15
SLES-15-030250V2R4The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.SUSE Linux Enterprise 15
SLES-15-030290V2R4The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.SUSE Linux Enterprise 15
SLES-15-030330V2R4The SUSE operating system must generate audit records for all uses of the sudoedit command.SUSE Linux Enterprise 15
SLES-15-030340V2R4The SUSE operating system must generate audit records for all uses of the chfn command.SUSE Linux Enterprise 15
SLES-15-030350V2R4The SUSE operating system must generate audit records for all uses of the mount system call.SUSE Linux Enterprise 15
SLES-15-030360V2R4The SUSE operating system must generate audit records for all uses of the umount system call.SUSE Linux Enterprise 15
SLES-15-030370V2R4The SUSE operating system must generate audit records for all uses of the ssh-agent command.SUSE Linux Enterprise 15
SLES-15-030380V2R4The SUSE operating system must generate audit records for all uses of the insmod command.SUSE Linux Enterprise 15
SLES-15-030390V2R4The SUSE operating system must generate audit records for all uses of the rmmod command.SUSE Linux Enterprise 15
SLES-15-030400V2R4The SUSE operating system must generate audit records for all uses of the modprobe command.SUSE Linux Enterprise 15
SLES-15-030410V2R4The SUSE operating system must generate audit records for all uses of the kmod command.SUSE Linux Enterprise 15
SLES-15-030420V2R4The SUSE operating system must generate audit records for all uses of the chmod command.SUSE Linux Enterprise 15
SLES-15-030430V2R4The SUSE operating system must generate audit records for all uses of the setfacl command.SUSE Linux Enterprise 15
SLES-15-030440V2R4The SUSE operating system must generate audit records for all uses of the chacl command.SUSE Linux Enterprise 15
SLES-15-030450V2R4The SUSE operating system must generate audit records for all uses of the chcon command.SUSE Linux Enterprise 15
SLES-15-030460V2R4The SUSE operating system must generate audit records for all uses of the rm command.SUSE Linux Enterprise 15
SLES-15-030470V2R4The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.SUSE Linux Enterprise 15
SLES-15-030480V2R4The SUSE operating system must generate audit records for all modifications to the lastlog file.SUSE Linux Enterprise 15
SLES-15-030490V2R4The SUSE operating system must generate audit records for all uses of the passmass command.SUSE Linux Enterprise 15
SLES-15-030500V2R4The SUSE operating system must generate audit records for all uses of the usermod command.SUSE Linux Enterprise 15
SLES-15-030510V2R4The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.SUSE Linux Enterprise 15
SLES-15-030520V2R4The SUSE operating system must generate audit records for all uses of the delete_module system call.SUSE Linux Enterprise 15
SLES-15-030530V2R4The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.SUSE Linux Enterprise 15
SLES-15-030550V2R4The SUSE operating system must generate audit records for all uses of the su command.SUSE Linux Enterprise 15
SLES-15-030560V2R4The SUSE operating system must generate audit records for all uses of the sudo command.SUSE Linux Enterprise 15
TOSS-04-030010V2R3TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.Tri-Lab Operating System Stack
TOSS-04-030310V2R3Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030320V2R3Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030330V2R3Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030340V2R3Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030350V2R3Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030360V2R3Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030370V2R3Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030380V2R3Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030390V2R3Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030400V2R3Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030410V2R3Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030420V2R3Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030430V2R3Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030440V2R3Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030450V2R3Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030460V2R3Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030470V2R3Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030480V2R3Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030490V2R3Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030500V2R3Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030510V2R3Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030520V2R3Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.Tri-Lab Operating System Stack
TOSS-04-030540V2R3Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.Tri-Lab Operating System Stack
UBTU-22-653010V2R6Ubuntu 22.04 LTS must have the "auditd" package installed.Ubuntu 22.04
UBTU-22-653015V2R6Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Ubuntu 22.04
WN10-AU-000555V3R4Windows 10 must be configured to audit Other Policy Change Events Failures.Microsoft Windows 10
WN10-AU-000560V3R4Windows 10 must be configured to audit other Logon/Logoff Events Successes.Microsoft Windows 10
WN10-AU-000565V3R4Windows 10 must be configured to audit other Logon/Logoff Events Failures.Microsoft Windows 10
WN10-AU-000570V3R4Windows 10 must be configured to audit Detailed File Share Failures.Microsoft Windows 10
WN10-AU-000575V3R4Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.Microsoft Windows 10
WN10-AU-000580V3R4Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.Microsoft Windows 10
WN10-AU-000585V3R4Windows 10 must have command line process auditing events enabled for failures.Microsoft Windows 10
WN11-AU-000550V2R5Windows 11 must be configured to audit Other Policy Change Events Successes.Microsoft Windows 11
WN11-AU-000555V2R5Windows 11 must be configured to audit Other Policy Change Events Failures.Microsoft Windows 11
WN11-AU-000560V2R5Windows 11 must be configured to audit other Logon/Logoff Events Successes.Microsoft Windows 11
WN11-AU-000565V2R5Windows 11 must be configured to audit other Logon/Logoff Events Failures.Microsoft Windows 11
WN11-AU-000570V2R5Windows 11 must be configured to audit Detailed File Share Failures.Microsoft Windows 11
WN11-AU-000575V2R5Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes.Microsoft Windows 11
WN11-AU-000580V2R5Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures.Microsoft Windows 11
WN11-AU-000585V2R5Windows 11 must have command line process auditing events enabled for failures.Microsoft Windows 11
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.