| ALMA-09-045670 | V1R2 | AlmaLinux OS 9 audit system must audit local events. | |
| OL08-00-030313 | V2R4 | OL 8 must generate audit records for any use of the "semanage" command. | |
| OL08-00-030314 | V2R4 | OL 8 must generate audit records for any use of the "setfiles" command. | |
| OL08-00-030315 | V2R4 | OL 8 must generate audit records for any use of the "userhelper" command. | |
| OL09-00-000440 | V1R1 | OL 9 must have the audit package installed. | |
| OL09-00-000441 | V1R1 | OL 9 audit service must be enabled. | |
| OL09-00-000760 | V1R1 | OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. | |
| OL09-00-000765 | V1R1 | OL 9 audit system must take appropriate action when the audit storage volume is full. | |
| OL09-00-000770 | V1R1 | OL 9 audit system must take appropriate action when the audit files have reached maximum size. | |
| OL09-00-000800 | V1R1 | OL 9 audit system must audit local events. | |
| OL09-00-002330 | V1R1 | OL 9 must enable Linux audit logging for the USBGuard daemon. | |
| RHEL-08-030130 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | |
| RHEL-08-030140 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | |
| RHEL-08-030150 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | |
| RHEL-08-030160 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | |
| RHEL-08-030170 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | |
| RHEL-08-030171 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | |
| RHEL-08-030172 | V2R3 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | |
| RHEL-08-030180 | V2R3 | The RHEL 8 audit package must be installed. | |
| RHEL-08-030190 | V2R3 | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | |
| RHEL-08-030200 | V2R3 | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | |
| RHEL-08-030250 | V2R3 | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | |
| RHEL-08-030260 | V2R3 | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | |
| RHEL-08-030280 | V2R3 | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | |
| RHEL-08-030290 | V2R3 | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | |
| RHEL-08-030300 | V2R3 | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. | |
| RHEL-08-030301 | V2R3 | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. | |
| RHEL-08-030302 | V2R3 | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. | |
| RHEL-08-030310 | V2R3 | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. | |
| RHEL-08-030311 | V2R3 | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. | |
| RHEL-08-030312 | V2R3 | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. | |
| RHEL-08-030313 | V2R3 | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. | |
| RHEL-08-030314 | V2R3 | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. | |
| RHEL-08-030315 | V2R3 | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. | |
| RHEL-08-030316 | V2R3 | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. | |
| RHEL-08-030317 | V2R3 | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. | |
| RHEL-08-030320 | V2R3 | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. | |
| RHEL-08-030330 | V2R3 | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. | |
| RHEL-08-030340 | V2R3 | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. | |
| RHEL-08-030350 | V2R3 | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. | |
| RHEL-08-030360 | V2R3 | Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record. | |
| RHEL-08-030361 | V2R3 | Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record. | |
| RHEL-08-030370 | V2R3 | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. | |
| RHEL-08-030390 | V2R3 | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. | |
| RHEL-08-030400 | V2R3 | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. | |
| RHEL-08-030410 | V2R3 | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. | |
| RHEL-08-030420 | V2R3 | Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record. | |
| RHEL-08-030480 | V2R3 | Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record. | |
| RHEL-08-030490 | V2R3 | Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record. | |
| RHEL-08-030550 | V2R3 | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. | |
| RHEL-08-030560 | V2R3 | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. | |
| RHEL-08-030570 | V2R3 | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. | |
| RHEL-08-030580 | V2R3 | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. | |
| RHEL-08-030590 | V2R3 | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. | |
| RHEL-08-030600 | V2R3 | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. | |
| RHEL-08-030601 | V2R3 | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | |
| RHEL-08-030603 | V2R3 | RHEL 8 must enable Linux audit logging for the USBGuard daemon. | |
| RHEL-08-030181 | V2R3 | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | |
| RHEL-09-291025 | V2R4 | RHEL 9 must enable Linux audit logging for the USBGuard daemon. | |
| RHEL-09-653010 | V2R4 | RHEL 9 audit package must be installed. | |
| RHEL-09-653015 | V2R4 | RHEL 9 audit service must be enabled. | |
| RHEL-09-653075 | V2R4 | RHEL 9 audit system must audit local events. | |
| WN10-SO-000030 | V3R4 | Audit policy using subcategories must be enabled. | |
| WN11-SO-000030 | V2R3 | Audit policy using subcategories must be enabled. | |
| WN16-SO-000050 | V2R9 | Audit policy using subcategories must be enabled. | |
| WN19-SO-000050 | V3R4 | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings. | |
| WN22-SO-000050 | V2R4 | Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings. | |