| ALMA-09-047100 | V1R1 | The audit package must be installed on AlmaLinux OS 9. | |
| ALMA-09-047540 | V1R1 | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | |
| ALMA-09-047650 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "mount" command. | |
| ALMA-09-047760 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "umount" command. | |
| ALMA-09-047870 | V1R1 | Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record. | |
| ALMA-09-047980 | V1R1 | AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon. | |
| ALMA-09-048090 | V1R1 | AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | |
| ALMA-09-048200 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "chacl" command. | |
| ALMA-09-048310 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "chage" command. | |
| ALMA-09-048420 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "chcon" command. | |
| ALMA-09-048530 | V1R1 | AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | |
| ALMA-09-048640 | V1R1 | AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | |
| ALMA-09-048750 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "chsh" command. | |
| ALMA-09-048860 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "crontab" command. | |
| ALMA-09-048970 | V1R1 | AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | |
| ALMA-09-049190 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command. | |
| ALMA-09-049300 | V1R1 | AlmaLinux OS 9 must audit all uses of the kmod command. | |
| ALMA-09-049410 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command. | |
| ALMA-09-049520 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "passwd" command. | |
| ALMA-09-049630 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command. | |
| ALMA-09-049740 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command. | |
| ALMA-09-049850 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "su" command. | |
| ALMA-09-049960 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "sudo" command. | |
| ALMA-09-050070 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "semanage" command. | |
| ALMA-09-050180 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command. | |
| ALMA-09-050290 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command. | |
| ALMA-09-050400 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command. | |
| ALMA-09-050510 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command. | |
| ALMA-09-050620 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command. | |
| ALMA-09-050730 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command. | |
| ALMA-09-050840 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command. | |
| ALMA-09-050950 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command. | |
| ALMA-09-051060 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command. | |
| ALMA-09-051170 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command. | |
| ALMA-09-051280 | V1R1 | AlmaLinux OS 9 must generate audit records for any use of the "usermod" command. | |
| ALMA-09-051390 | V1R1 | AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | |
| WN10-AU-000555 | V2R8 | Windows 10 must be configured to audit Other Policy Change Events Failures. | |
| WN10-AU-000560 | V2R8 | Windows 10 must be configured to audit other Logon/Logoff Events Successes. | |
| WN10-AU-000565 | V2R8 | Windows 10 must be configured to audit other Logon/Logoff Events Failures. | |
| WN10-AU-000570 | V2R8 | Windows 10 must be configured to audit Detailed File Share Failures. | |
| WN10-AU-000575 | V2R8 | Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes. | |
| WN10-AU-000580 | V2R8 | Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures. | |
| WN10-AU-000585 | V2R8 | Windows 10 must have command line process auditing events enabled for failures. | |
| APPL-15-001003 | V1R1 | The macOS system must enable security auditing. | |
| APPL-14-001003 | V2R1 | The macOS system must enable security auditing. | |
| WN11-AU-000550 | V2R1 | Windows 11 must be configured to audit Other Policy Change Events Successes. | |
| WN11-AU-000555 | V2R1 | Windows 11 must be configured to audit Other Policy Change Events Failures. | |
| WN11-AU-000560 | V2R1 | Windows 11 must be configured to audit other Logon/Logoff Events Successes. | |
| WN11-AU-000565 | V2R1 | Windows 11 must be configured to audit other Logon/Logoff Events Failures. | |
| WN11-AU-000570 | V2R1 | Windows 11 must be configured to audit Detailed File Share Failures. | |
| WN11-AU-000575 | V2R1 | Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes. | |
| WN11-AU-000580 | V2R1 | Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures. | |
| WN11-AU-000585 | V2R1 | Windows 11 must have command line process auditing events enabled for failures. | |
| UBTU-22-653010 | V2R1 | Ubuntu 22.04 LTS must have the "auditd" package installed. | |
| UBTU-22-653015 | V2R1 | Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time. | |
| RHEL-07-030680 | V3R8 | The Red Hat Enterprise Linux operating system must audit all uses of the su command. | |
| RHEL-07-030690 | V3R8 | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command. | |
| RHEL-07-030700 | V3R8 | The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. | |
| RHEL-07-030710 | V3R8 | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command. | |
| RHEL-07-030720 | V3R8 | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command. | |
| RHEL-09-212055 | V2R1 | RHEL 9 must enable auditing of processes that start prior to the audit daemon. | |
| RHEL-09-654015 | V2R1 | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | |
| RHEL-09-654020 | V2R1 | RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | |
| RHEL-09-654025 | V2R1 | RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | |
| RHEL-09-654030 | V2R1 | RHEL 9 must audit all uses of umount system calls. | |
| RHEL-09-654035 | V2R1 | RHEL 9 must audit all uses of the chacl command. | |
| RHEL-09-654040 | V2R1 | RHEL 9 must audit all uses of the setfacl command. | |
| RHEL-09-654045 | V2R1 | RHEL 9 must audit all uses of the chcon command. | |
| RHEL-09-654050 | V2R1 | RHEL 9 must audit all uses of the semanage command. | |
| RHEL-09-654055 | V2R1 | RHEL 9 must audit all uses of the setfiles command. | |
| RHEL-09-654060 | V2R1 | RHEL 9 must audit all uses of the setsebool command. | |
| RHEL-09-654065 | V2R1 | RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | |
| RHEL-09-654070 | V2R1 | RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | |
| RHEL-09-654075 | V2R1 | RHEL 9 must audit all uses of the delete_module system call. | |
| RHEL-09-654080 | V2R1 | RHEL 9 must audit all uses of the init_module and finit_module system calls. | |
| RHEL-09-654085 | V2R1 | RHEL 9 must audit all uses of the chage command. | |
| RHEL-09-654090 | V2R1 | RHEL 9 must audit all uses of the chsh command. | |
| RHEL-09-654095 | V2R1 | RHEL 9 must audit all uses of the crontab command. | |
| RHEL-09-654100 | V2R1 | RHEL 9 must audit all uses of the gpasswd command. | |
| RHEL-09-654105 | V2R1 | RHEL 9 must audit all uses of the kmod command. | |
| RHEL-09-654110 | V2R1 | RHEL 9 must audit all uses of the newgrp command. | |
| RHEL-09-654115 | V2R1 | RHEL 9 must audit all uses of the pam_timestamp_check command. | |
| RHEL-09-654120 | V2R1 | RHEL 9 must audit all uses of the passwd command. | |
| RHEL-09-654125 | V2R1 | RHEL 9 must audit all uses of the postdrop command. | |
| RHEL-09-654130 | V2R1 | RHEL 9 must audit all uses of the postqueue command. | |
| RHEL-09-654135 | V2R1 | RHEL 9 must audit all uses of the ssh-agent command. | |
| RHEL-09-654140 | V2R1 | RHEL 9 must audit all uses of the ssh-keysign command. | |
| RHEL-09-654145 | V2R1 | RHEL 9 must audit all uses of the su command. | |
| RHEL-09-654150 | V2R1 | RHEL 9 must audit all uses of the sudo command. | |
| RHEL-09-654155 | V2R1 | RHEL 9 must audit all uses of the sudoedit command. | |
| RHEL-09-654160 | V2R1 | RHEL 9 must audit all uses of the unix_chkpwd command. | |
| RHEL-09-654165 | V2R1 | RHEL 9 must audit all uses of the unix_update command. | |
| RHEL-09-654170 | V2R1 | RHEL 9 must audit all uses of the userhelper command. | |
| RHEL-09-654175 | V2R1 | RHEL 9 must audit all uses of the usermod command. | |
| RHEL-09-654180 | V2R1 | RHEL 9 must audit all uses of the mount command. | |
| RHEL-09-654205 | V2R1 | Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. | |
| RHEL-09-654210 | V2R1 | Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. | |
| RHEL-09-654255 | V2R1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | |
| OL09-00-000535 | V1R1 | OL 9 must audit all uses of the unix_update command. | |
| OL09-00-000540 | V1R1 | OL 9 must audit all uses of the su command. | |
| OL09-00-000545 | V1R1 | OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | |
| OL09-00-000550 | V1R1 | OL 9 must audit all uses of the chage command. | |
| OL09-00-000555 | V1R1 | OL 9 must audit all uses of the chcon command. | |
| OL09-00-000560 | V1R1 | OL 9 must audit all uses of the setfacl command. | |
| OL09-00-000565 | V1R1 | OL 9 must audit all uses of the chsh command. | |
| OL09-00-000570 | V1R1 | OL 9 must audit all uses of the crontab command. | |
| OL09-00-000575 | V1R1 | OL 9 must audit all uses of the gpasswd command. | |
| OL09-00-000580 | V1R1 | OL 9 must audit all uses of the newgrp command. | |
| OL09-00-000585 | V1R1 | OL 9 must audit all uses of the pam_timestamp_check command. | |
| OL09-00-000590 | V1R1 | OL 9 must audit all uses of the passwd command. | |
| OL09-00-000595 | V1R1 | OL 9 must audit all uses of the postdrop command. | |
| OL09-00-000600 | V1R1 | OL 9 must audit all uses of the postqueue command. | |
| OL09-00-000605 | V1R1 | OL 9 must audit all uses of the ssh-agent command. | |
| OL09-00-000610 | V1R1 | OL 9 must audit all uses of the ssh-keysign command. | |
| OL09-00-000615 | V1R1 | OL 9 must audit all uses of the sudoedit command. | |
| OL09-00-000620 | V1R1 | OL 9 must audit all uses of the unix_chkpwd command. | |
| OL09-00-000625 | V1R1 | OL 9 must audit all uses of the userhelper command. | |
| OL09-00-000630 | V1R1 | OL 9 must audit all uses of the mount command. | |
| OL09-00-000635 | V1R1 | OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | |
| OL09-00-000640 | V1R1 | OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | |
| OL09-00-000645 | V1R1 | OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | |
| OL09-00-000650 | V1R1 | OL 9 must audit all uses of the semanage command. | |
| OL09-00-000655 | V1R1 | OL 9 must audit all uses of the setfiles command. | |
| OL09-00-000660 | V1R1 | OL 9 must audit all uses of the setsebool command. | |
| OL09-00-000665 | V1R1 | OL 9 must audit all uses of the chacl command. | |
| OL09-00-000670 | V1R1 | OL 9 must audit all uses of the sudo command. | |
| OL09-00-000675 | V1R1 | OL 9 must audit all uses of the usermod command. | |
| OL09-00-000680 | V1R1 | OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | |
| OL09-00-000685 | V1R1 | OL 9 must audit all uses of the delete_module system call. | |
| OL09-00-000690 | V1R1 | OL 9 must audit all uses of the init_module and finit_module system calls. | |
| OL09-00-000695 | V1R1 | OL 9 must audit all uses of the kmod command. | |
| OL09-00-000700 | V1R1 | OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | |
| OL09-00-000705 | V1R1 | OL 9 must audit all uses of umount system calls. | |
| OL09-00-000750 | V1R1 | OL 9 must enable auditing of processes that start prior to the audit daemon. | |
| OL09-00-000840 | V1R1 | OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record. | |
| OL09-00-000845 | V1R1 | OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record. | |
| SLES-15-030050 | V1R9 | SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | |
| SLES-15-030060 | V1R9 | The SUSE operating system must generate audit records for all uses of the ssh-keysign command. | |
| SLES-15-030070 | V1R9 | The SUSE operating system must generate audit records for all uses of the passwd command. | |
| SLES-15-030080 | V1R9 | The SUSE operating system must generate audit records for all uses of the gpasswd command. | |
| SLES-15-030090 | V1R9 | The SUSE operating system must generate audit records for all uses of the newgrp command. | |
| SLES-15-030100 | V1R9 | The SUSE operating system must generate audit records for a uses of the chsh command. | |
| SLES-15-030110 | V1R9 | The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands. | |
| SLES-15-030120 | V1R9 | The SUSE operating system must generate audit records for all uses of the chage command. | |
| SLES-15-030130 | V1R9 | The SUSE operating system must generate audit records for all uses of the crontab command. | |
| SLES-15-030140 | V1R9 | The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. | |
| SLES-15-030150 | V1R9 | The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. | |
| SLES-15-030190 | V1R9 | The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | |
| SLES-15-030250 | V1R9 | The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls. | |
| SLES-15-030290 | V1R9 | The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. | |
| SLES-15-030330 | V1R9 | The SUSE operating system must generate audit records for all uses of the sudoedit command. | |
| SLES-15-030340 | V1R9 | The SUSE operating system must generate audit records for all uses of the chfn command. | |
| SLES-15-030350 | V1R9 | The SUSE operating system must generate audit records for all uses of the mount system call. | |
| SLES-15-030360 | V1R9 | The SUSE operating system must generate audit records for all uses of the umount system call. | |
| SLES-15-030370 | V1R9 | The SUSE operating system must generate audit records for all uses of the ssh-agent command. | |
| SLES-15-030380 | V1R9 | The SUSE operating system must generate audit records for all uses of the insmod command. | |
| SLES-15-030390 | V1R9 | The SUSE operating system must generate audit records for all uses of the rmmod command. | |
| SLES-15-030400 | V1R9 | The SUSE operating system must generate audit records for all uses of the modprobe command. | |
| SLES-15-030410 | V1R9 | The SUSE operating system must generate audit records for all uses of the kmod command. | |
| SLES-15-030420 | V1R9 | The SUSE operating system must generate audit records for all uses of the chmod command. | |
| SLES-15-030430 | V1R9 | The SUSE operating system must generate audit records for all uses of the setfacl command. | |
| SLES-15-030440 | V1R9 | The SUSE operating system must generate audit records for all uses of the chacl command. | |
| SLES-15-030450 | V1R9 | The SUSE operating system must generate audit records for all uses of the chcon command. | |
| SLES-15-030460 | V1R9 | The SUSE operating system must generate audit records for all uses of the rm command. | |
| SLES-15-030470 | V1R9 | The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. | |
| SLES-15-030480 | V1R9 | The SUSE operating system must generate audit records for all modifications to the lastlog file. | |
| SLES-15-030490 | V1R9 | The SUSE operating system must generate audit records for all uses of the passmass command. | |
| SLES-15-030500 | V1R9 | The SUSE operating system must generate audit records for all uses of the usermod command. | |
| SLES-15-030510 | V1R9 | The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. | |
| SLES-15-030520 | V1R9 | The SUSE operating system must generate audit records for all uses of the delete_module system call. | |
| SLES-15-030530 | V1R9 | The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls. | |
| SLES-15-030550 | V1R9 | The SUSE operating system must generate audit records for all uses of the su command. | |
| SLES-15-030560 | V1R9 | The SUSE operating system must generate audit records for all uses of the sudo command. | |
| SLES-12-020010 | V2R13 | SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | |
| SLES-12-020250 | V2R13 | The SUSE operating system must generate audit records for all uses of the su command. | |
| SLES-12-020260 | V2R13 | The SUSE operating system must generate audit records for all uses of the sudo command. | |
| SLES-12-020280 | V2R13 | The SUSE operating system must generate audit records for all uses of the chfn command. | |
| SLES-12-020290 | V2R13 | The SUSE operating system must generate audit records for all uses of the mount command. | |
| SLES-12-020300 | V2R13 | The SUSE operating system must generate audit records for all uses of the umount command. | |
| SLES-12-020310 | V2R13 | The SUSE operating system must generate audit records for all uses of the ssh-agent command. | |
| SLES-12-020320 | V2R13 | The SUSE operating system must generate audit records for all uses of the ssh-keysign command. | |
| SLES-12-020360 | V2R13 | The SUSE operating system must generate audit records for all uses of the kmod command. | |
| SLES-12-020370 | V2R13 | The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls. | |
| SLES-12-020420 | V2R13 | The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls. | |
| SLES-12-020460 | V2R13 | The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. | |
| SLES-12-020490 | V2R13 | The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls. | |
| SLES-12-020550 | V2R13 | The SUSE operating system must generate audit records for all uses of the passwd command. | |
| SLES-12-020560 | V2R13 | The SUSE operating system must generate audit records for all uses of the gpasswd command. | |
| SLES-12-020570 | V2R13 | The SUSE operating system must generate audit records for all uses of the newgrp command. | |
| SLES-12-020580 | V2R13 | The SUSE operating system must generate audit records for a uses of the chsh command. | |
| SLES-12-020600 | V2R13 | The SUSE operating system must generate audit records for all uses of the chmod command. | |
| SLES-12-020610 | V2R13 | The SUSE operating system must generate audit records for all uses of the setfacl command. | |
| SLES-12-020620 | V2R13 | The SUSE operating system must generate audit records for all uses of the chacl command. | |
| SLES-12-020630 | V2R13 | Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records. | |
| SLES-12-020640 | V2R13 | The SUSE operating system must generate audit records for all uses of the rm command. | |
| SLES-12-020650 | V2R13 | The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. | |
| SLES-12-020660 | V2R13 | The SUSE operating system must generate audit records for all modifications to the lastlog file. | |
| SLES-12-020670 | V2R13 | The SUSE operating system must generate audit records for all uses of the passmass command. | |
| SLES-12-020680 | V2R13 | The SUSE operating system must generate audit records for all uses of the unix_chkpwd command. | |
| SLES-12-020690 | V2R13 | The SUSE operating system must generate audit records for all uses of the chage command. | |
| SLES-12-020700 | V2R13 | The SUSE operating system must generate audit records for all uses of the usermod command. | |
| SLES-12-020710 | V2R13 | The SUSE operating system must generate audit records for all uses of the crontab command. | |
| SLES-12-020720 | V2R13 | The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. | |
| SLES-12-020730 | V2R13 | The SUSE operating system must generate audit records for all uses of the delete_module command. | |
| SLES-12-020740 | V2R13 | The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls. | |
| SLES-12-020760 | V2R13 | The SUSE operating system must generate audit records for all modifications to the faillog file. | |
| SLES-12-020411 | V2R13 | The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls. | |
| OL07-00-030680 | V2R14 | The Oracle Linux operating system must audit all uses of the su command. | |
| OL07-00-030690 | V2R14 | The Oracle Linux operating system must audit all uses of the sudo command. | |
| OL07-00-030700 | V2R14 | The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. | |
| OL07-00-030710 | V2R14 | The Oracle Linux operating system must audit all uses of the newgrp command. | |
| OL07-00-030720 | V2R14 | The Oracle Linux operating system must audit all uses of the chsh command. | |
| OL08-00-030180 | V1R9 | The OL 8 audit package must be installed. | |
| OL08-00-030181 | V1R9 | OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | |
| OL08-00-030190 | V1R9 | OL 8 must generate audit records for any use of the "su" command. | |
| OL08-00-030200 | V1R9 | The OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. | |
| OL08-00-030250 | V1R9 | OL 8 must generate audit records for any use of the "chage" command. | |
| OL08-00-030260 | V1R9 | OL 8 must generate audit records for any uses of the "chcon" command. | |
| OL08-00-030280 | V1R9 | OL 8 must generate audit records for any use of the "ssh-agent" command. | |
| OL08-00-030290 | V1R9 | OL 8 must generate audit records for any use of the "passwd" command. | |
| OL08-00-030300 | V1R9 | OL 8 must generate audit records for any use of the "mount" command. | |
| OL08-00-030301 | V1R9 | OL 8 must generate audit records for any use of the "umount" command. | |
| OL08-00-030302 | V1R9 | OL 8 must generate audit records for any use of the "mount" syscall. | |
| OL08-00-030310 | V1R9 | OL 8 must generate audit records for any use of the "unix_update" command. | |
| OL08-00-030311 | V1R9 | OL 8 must generate audit records for any use of the "postdrop" command. | |
| OL08-00-030312 | V1R9 | OL 8 must generate audit records for any use of the "postqueue" command. | |
| OL08-00-030316 | V1R9 | OL 8 must generate audit records for any use of the "setsebool" command. | |
| OL08-00-030317 | V1R9 | OL 8 must generate audit records for any use of the "unix_chkpwd" command. | |
| OL08-00-030320 | V1R9 | OL 8 must generate audit records for any use of the "ssh-keysign" command. | |
| OL08-00-030330 | V1R9 | OL 8 must generate audit records for any use of the "setfacl" command. | |
| OL08-00-030340 | V1R9 | OL 8 must generate audit records for any use of the "pam_timestamp_check" command. | |
| OL08-00-030350 | V1R9 | OL 8 must generate audit records for any use of the "newgrp" command. | |
| OL08-00-030360 | V1R9 | OL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls. | |
| OL08-00-030361 | V1R9 | OL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls. | |
| OL08-00-030370 | V1R9 | OL 8 must generate audit records for any use of the "gpasswd" command. | |
| OL08-00-030390 | V1R9 | OL 8 must generate audit records for any use of the delete_module syscall. | |
| OL08-00-030400 | V1R9 | OL 8 must generate audit records for any use of the "crontab" command. | |
| OL08-00-030410 | V1R9 | OL 8 must generate audit records for any use of the "chsh" command. | |
| OL08-00-030420 | V1R9 | OL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. | |
| OL08-00-030480 | V1R9 | OL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls. | |
| OL08-00-030490 | V1R9 | OL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls. | |
| OL08-00-030550 | V1R9 | OL 8 must generate audit records for any use of the "sudo" command. | |
| OL08-00-030560 | V1R9 | OL 8 must generate audit records for any use of the "usermod" command. | |
| OL08-00-030570 | V1R9 | OL 8 must generate audit records for any use of the "chacl" command. | |
| OL08-00-030580 | V1R9 | OL 8 must generate audit records for any use of the "kmod" command. | |
| OL08-00-030590 | V1R9 | OL 8 must generate audit records for any attempted modifications to the "faillock" log file. | |
| OL08-00-030600 | V1R9 | OL 8 must generate audit records for any attempted modifications to the "lastlog" file. | |
| OL08-00-030601 | V1R9 | OL 8 must enable auditing of processes that start prior to the audit daemon. | |
| OL08-00-030602 | V1R9 | OL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon. | |