STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-3 (5) — Configuration Change Control

CCI-001744

Definition

Implement organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.

Parent Control

CM-3 (5)Configuration Change ControlConfiguration Management

Linked STIG Checks (79)

V-274024CAT IIAmazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274025CAT IIAmazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.Amazon Linux 2023 Security Technical Implementation Guide V-274031CAT IIAmazon Linux 2023 must have the s-nail package installed.Amazon Linux 2023 Security Technical Implementation Guide V-268153CAT IINixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.Anduril NixOS Security Technical Implementation Guide V-219338CAT IIThe Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-260584CAT IIUbuntu 22.04 LTS must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270652CAT IIUbuntu 24.04 LTS must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269160CAT IIAlmaLinux OS 9 must have the s-nail package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269456CAT IIAlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269457CAT IIAlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-229006CAT IIThe BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.F5 BIG-IP Device Management Security Technical Implementation Guide V-203717CAT IIThe operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner.General Purpose Operating System Security Requirements Guide V-65157CAT IIThe DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.IBM DataPower Network Device Management Security Technical Implementation Guide V-223574CAT IIIBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.IBM z/OS ACF2 Security Technical Implementation Guide V-223800CAT IIIBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.IBM z/OS RACF Security Technical Implementation Guide V-224038CAT IIIBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.IBM z/OS TSS Security Technical Implementation Guide V-259735CAT IIIBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner.IBM zSecure Suite Security Technical Implementation Guide V-205565CAT IIThe Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.Mainframe Product Security Requirements Guide V-224840CAT IISystem files must be monitored for unauthorized changes.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205803CAT IIWindows Server 2019 system files must be monitored for unauthorized changes.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254259CAT IIWindows Server 2022 system files must be monitored for unauthorized changes.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278006CAT IIWindows Server 2025 system files must be monitored for unauthorized changes.Microsoft Windows Server 2025 Security Technical Implementation Guide V-254188CAT IINutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-221708CAT IIThe Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.Oracle Linux 7 Security Technical Implementation Guide V-221709CAT IIThe Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.Oracle Linux 7 Security Technical Implementation Guide V-256977CAT IIThe Oracle Linux operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.Oracle Linux 7 Security Technical Implementation Guide V-248573CAT IIThe OL 8 file integrity tool must notify the system administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.Oracle Linux 8 Security Technical Implementation Guide V-256979CAT IIOL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.Oracle Linux 8 Security Technical Implementation Guide V-271495CAT IIOL 9 must have the s-nail package installed.Oracle Linux 9 Security Technical Implementation Guide V-271496CAT IIOL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Oracle Linux 9 Security Technical Implementation Guide V-271497CAT IIOL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.Oracle Linux 9 Security Technical Implementation Guide V-280954CAT IIRHEL 10 must have the "s-nail" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280980CAT IIRHEL 10 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204445CAT IIThe Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204446CAT IIThe Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-256970CAT IIThe Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230263CAT IIThe RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-256974CAT IIRHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257842CAT IIRHEL 9 must have the s-nail package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258134CAT IIRHEL 9 must have the AIDE package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258135CAT IIRHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275671CAT IIUbuntu OS must notify designated personnel if baseline configurations are changed in an unauthorized manner.Riverbed NetIM OS Security Technical Implementation Guide V-256981CAT IIThe SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.SLES 12 Security Technical Implementation Guide V-261403CAT IISLEM 5 must use a file integrity tool to verify correct operation of all security functions.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261407CAT IIAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217148CAT IIAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-256981CAT IIThe SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-219970CAT IIThe operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.Solaris 11 SPARC Security Technical Implementation Guide V-219998CAT IIThe operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.Solaris 11 X86 Security Technical Implementation Guide V-234032CAT IITanium must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.Tanium 7.3 Security Technical Implementation Guide V-241163CAT IITrend Deep Security must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-252929CAT IIThe TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282578CAT IITOSS 5 must have the s-nail package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282579CAT IITOSS 5 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282580CAT IITOSS 5 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-239605CAT IIThe SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256490CAT IIThe Photon operating system must have the auditd service running.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256340CAT IIvCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258808CAT IIThe Photon operating system must enable the auditd service.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-258926CAT IIThe vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207469CAT IIThe VMM must notify designated personnel if baseline configurations are changed in an unauthorized manner.Virtual Machine Manager Security Requirements Guide V-73265CAT IISystem files must be monitored for unauthorized changes.Windows Server 2016 Security Technical Implementation Guide V-73265CAT IISystem files must be monitored for unauthorized changes.Windows Server 2016 Security Technical Implementation Guide V-93203CAT IIWindows Server 2019 system files must be monitored for unauthorized changes.Windows Server 2019 Security Technical Implementation Guide V-224107CAT IIBMC CONTROL-D security exits are not installed or configured properly.z/OS BMC CONTROL-D for ACF2 Security Technical Implementation Guide V-224389CAT IIBMC CONTROL-D security exits are not installed or configured properly.z/OS BMC CONTROL-D for RACF Security Technical Implementation Guide V-224579CAT IIBMC CONTROL-D security exits are not installed or configured properly.z/OS BMC CONTROL-D for TSS Security Technical Implementation Guide V-224113CAT IIBMC CONTROL-M security exits are not installed or configured properly.z/OS BMC CONTROL-M for ACF2 Security Technical Implementation Guide V-224396CAT IIBMC CONTROL-M security exits are not installed or configured properly.z/OS BMC CONTROL-M for RACF Security Technical Implementation Guide V-224125CAT IIBMC CONTROL-O security exits are not installed or configured properly.z/OS BMC CONTROL-O for ACF2 Security Technical Implementation Guide V-224409CAT IIBMC CONTROL-O security exits are not installed or configured properly.z/OS BMC CONTROL-O for RACF Security Technical Implementation Guide V-224591CAT IIBMC CONTROL-O security exits are not installed or configured properly.z/OS BMC CONTROL-O for TSS Security Technical Implementation Guide V-224243CAT IIBMC IOA security exits are not installed or configured properly.z/OS BMC IOA for ACF2 Security Technical Implementation Guide V-224415CAT IIBMC IOA security exits are not installed or configured properly.z/OS BMC IOA for RACF Security Technical Implementation Guide V-224598CAT IIBMC IOA security exits are not installed or configured properly.z/OS BMC IOA for TSS Security Technical Implementation Guide V-224257CAT IICA 1 Tape Management user exits, when in use, must be reviewed and/or approved.z/OS CA 1 Tape Management for ACF2 Security Technical Implementation Guide V-224449CAT IICA 1 Tape Management user exits, when in use, must be reviewed and/or approved.z/OS CA 1 Tape Management for RACF Security Technical Implementation Guide V-224637CAT IICA 1 Tape Management user exits, when in use, must be reviewed and/or approved.z/OS CA 1 Tape Management for TSS Security Technical Implementation Guide V-224568CAT IIBMC CONTROL-M security exits are not installed or configured properly.zOS BMC CONTROL-M for TSS Security Technical Implementation Guide