STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← MA-4 (1) — Nonlocal Maintenance

CCI-002884

Definition

Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

Parent Control

MA-4 (1)Nonlocal MaintenanceMaintenance

Linked STIG Checks (200)

V-274017CAT IIAmazon Linux 2023 must have the audit package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274018CAT IIAmazon Linux 2023 must produce audit records containing information to establish what type of events occurred.Amazon Linux 2023 Security Technical Implementation Guide V-274081CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.Amazon Linux 2023 Security Technical Implementation Guide V-274082CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.Amazon Linux 2023 Security Technical Implementation Guide V-274083CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.Amazon Linux 2023 Security Technical Implementation Guide V-274084CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.Amazon Linux 2023 Security Technical Implementation Guide V-274085CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.Amazon Linux 2023 Security Technical Implementation Guide V-274087CAT IIAmazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274088CAT IIAmazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274089CAT IIAmazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274090CAT IIAmazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274091CAT IIAmazon Linux 2023 must audit all uses of the init_module and finit_module system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274092CAT IIAmazon Linux 2023 must audit all uses of the create_module system call.Amazon Linux 2023 Security Technical Implementation Guide V-274093CAT IIAmazon Linux 2023 must audit all uses of the kmod command.Amazon Linux 2023 Security Technical Implementation Guide V-274094CAT IIAmazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.Amazon Linux 2023 Security Technical Implementation Guide V-274095CAT IIAmazon Linux 2023 must audit all uses of the chcon command.Amazon Linux 2023 Security Technical Implementation Guide V-274096CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.Amazon Linux 2023 Security Technical Implementation Guide V-274097CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.Amazon Linux 2023 Security Technical Implementation Guide V-274104CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.Amazon Linux 2023 Security Technical Implementation Guide V-274105CAT IIAmazon Linux 2023 must audit all successful/unsuccessful uses of the chage command.Amazon Linux 2023 Security Technical Implementation Guide V-274112CAT IIAmazon Linux 2023 must audit all uses of the sudo command.Amazon Linux 2023 Security Technical Implementation Guide V-274113CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.Amazon Linux 2023 Security Technical Implementation Guide V-274114CAT IIAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.Amazon Linux 2023 Security Technical Implementation Guide V-274167CAT IIAmazon Linux 2023 must enable auditing of processes that start prior to the audit daemon.Amazon Linux 2023 Security Technical Implementation Guide V-268091CAT IINixOS must generate audit records for all usage of privileged commands.Anduril NixOS Security Technical Implementation Guide V-252462CAT IIThe macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257168CAT IIThe macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268452CAT IIThe macOS system must be configured to audit all administrative action events.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268453CAT IIThe macOS system must be configured to audit all login and logout events.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268454CAT IIThe macOS system must enable security auditing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268462CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268463CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268464CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268465CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268470CAT IIThe macOS system must be configured to audit all authorization and authentication events.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277060CAT IIThe macOS system must be configured to audit all administrative action events.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277061CAT IIThe macOS system must be configured to audit all login and logout events.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277062CAT IIThe macOS system must enable security auditing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277069CAT IIThe macOS system must be configured to audit all deletions of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277070CAT IIThe macOS system must be configured to audit all changes of object attributes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277071CAT IIThe macOS system must be configured to audit all failed read actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277072CAT IIThe macOS system must be configured to audit all failed write actions on the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277077CAT IIThe macOS system must be configured to audit all authorization and authentication events.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222561CAT IIApplications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.Application Security and Development Security Technical Implementation Guide V-219225CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238309CAT IIThe Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260649CAT IIUbuntu 22.04 LTS must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270740CAT IIUbuntu 24.04 LTS must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions, and other system-level access.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269129CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269130CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269131CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269132CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269133CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269134CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269135CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269467CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269469CAT IIThe audit package must be installed on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269470CAT IIAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269471CAT IIAlmaLinux OS 9 must generate audit records for any use of the "mount" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269472CAT IIAlmaLinux OS 9 must generate audit records for any use of the "umount" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269473CAT IISuccessful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269474CAT IIAlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269475CAT IIAlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269476CAT IIAlmaLinux OS 9 must generate audit records for any use of the "chacl" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269477CAT IIAlmaLinux OS 9 must generate audit records for any use of the "chage" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269478CAT IIAlmaLinux OS 9 must generate audit records for any use of the "chcon" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269479CAT IIAlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269480CAT IIAlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269481CAT IIAlmaLinux OS 9 must generate audit records for any use of the "chsh" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269482CAT IIAlmaLinux OS 9 must generate audit records for any use of the "crontab" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269483CAT IIAlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269485CAT IIAlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269486CAT IIAlmaLinux OS 9 must audit all uses of the kmod command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269487CAT IIAlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269488CAT IIAlmaLinux OS 9 must generate audit records for any use of the "passwd" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269489CAT IIAlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269490CAT IIAlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269491CAT IIAlmaLinux OS 9 must generate audit records for any use of the "su" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269492CAT IIAlmaLinux OS 9 must generate audit records for any use of the "sudo" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269493CAT IIAlmaLinux OS 9 must generate audit records for any use of the "semanage" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269494CAT IIAlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269495CAT IIAlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269496CAT IIAlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269497CAT IIAlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269498CAT IIAlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269499CAT IIAlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269500CAT IIAlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269501CAT IIAlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269502CAT IIAlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269503CAT IIAlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269504CAT IIAlmaLinux OS 9 must generate audit records for any use of the "usermod" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269505CAT IIAlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269532CAT IIThe auditd service must be enabled on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233206CAT IIThe container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.Container Platform Security Requirements Guide V-203735CAT IIThe operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions.General Purpose Operating System Security Requirements Guide V-255249CAT IIISSMC must provide audit record generation capability for DOD-defined auditable events for all operating system components.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-215246CAT IIAIX must provide audit record generation functionality for DoD-defined auditable events.IBM AIX 7.x Security Technical Implementation Guide V-223517CAT IIIBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.IBM z/OS ACF2 Security Technical Implementation Guide V-223544CAT IIIBM z/OS Required SMF data record types must be collected.IBM z/OS ACF2 Security Technical Implementation Guide V-223586CAT IIIBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.IBM z/OS ACF2 Security Technical Implementation Guide V-223609CAT IIIBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.IBM z/OS ACF2 Security Technical Implementation Guide V-223653CAT IIIBM RACF SETROPTS LOGOPTIONS must be properly configured.IBM z/OS RACF Security Technical Implementation Guide V-223733CAT IIIBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.IBM z/OS RACF Security Technical Implementation Guide V-223759CAT IIIBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.IBM z/OS RACF Security Technical Implementation Guide V-223767CAT IIIBM z/OS required SMF data record types must be collected.IBM z/OS RACF Security Technical Implementation Guide V-223806CAT IIIBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.IBM z/OS RACF Security Technical Implementation Guide V-223974CAT IIIBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events.IBM z/OS TSS Security Technical Implementation Guide V-223998CAT IIIBM z/OS required SMF data record types must be collected.IBM z/OS TSS Security Technical Implementation Guide V-224054CAT IIIBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.IBM z/OS TSS Security Technical Implementation Guide V-224066CAT IIIBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified.IBM z/OS TSS Security Technical Implementation Guide V-205578CAT IIMainframe Products must audit nonlocal maintenance and diagnostic sessions audit events as defined in site security plan.Mainframe Product Security Requirements Guide V-254223CAT IINutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279614CAT IINutanix OS must audit all activities performed during nonlocal maintenance and diagnostic sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221792CAT IIThe Oracle Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.Oracle Linux 7 Security Technical Implementation Guide V-221797CAT IIThe Oracle Linux operating system must audit all uses of the semanage command.Oracle Linux 7 Security Technical Implementation Guide V-221798CAT IIThe Oracle Linux operating system must audit all uses of the setsebool command.Oracle Linux 7 Security Technical Implementation Guide V-221799CAT IIThe Oracle Linux operating system must audit all uses of the chcon command.Oracle Linux 7 Security Technical Implementation Guide V-221800CAT IIThe Oracle Linux operating system must audit all uses of the setfiles command.Oracle Linux 7 Security Technical Implementation Guide V-221801CAT IIThe Oracle Linux operating system must generate audit records for all unsuccessful account access events.Oracle Linux 7 Security Technical Implementation Guide V-221802CAT IIThe Oracle Linux operating system must generate audit records for all successful account access events.Oracle Linux 7 Security Technical Implementation Guide V-221813CAT IIThe Oracle Linux operating system must audit all uses of the mount command and syscall.Oracle Linux 7 Security Technical Implementation Guide V-221833CAT IIThe Oracle Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.Oracle Linux 7 Security Technical Implementation Guide V-248519CAT IIThe OL 8 audit package must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248520CAT IIOL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.Oracle Linux 8 Security Technical Implementation Guide V-248740CAT IIOL 8 must generate audit records for all account creation events that affect "/etc/shadow".Oracle Linux 8 Security Technical Implementation Guide V-248741CAT IIOL 8 must generate audit records for all account creation events that affect "/etc/security/opasswd".Oracle Linux 8 Security Technical Implementation Guide V-248742CAT IIOL 8 must generate audit records for all account creation events that affect "/etc/passwd".Oracle Linux 8 Security Technical Implementation Guide V-248743CAT IIOL 8 must generate audit records for all account creation events that affect "/etc/gshadow".Oracle Linux 8 Security Technical Implementation Guide V-248744CAT IIOL 8 must generate audit records for all account creation events that affect "/etc/group".Oracle Linux 8 Security Technical Implementation Guide V-248745CAT IIOL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".Oracle Linux 8 Security Technical Implementation Guide V-248746CAT IIOL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".Oracle Linux 8 Security Technical Implementation Guide V-248747CAT IIOL 8 must generate audit records for any use of the "su" command.Oracle Linux 8 Security Technical Implementation Guide V-248748CAT IIThe OL 8 audit system must be configured to audit any use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248753CAT IIOL 8 must generate audit records for any use of the "chage" command.Oracle Linux 8 Security Technical Implementation Guide V-248754CAT IIOL 8 must generate audit records for any uses of the "chcon" command.Oracle Linux 8 Security Technical Implementation Guide V-248756CAT IIOL 8 must generate audit records for any use of the "ssh-agent" command.Oracle Linux 8 Security Technical Implementation Guide V-248757CAT IIOL 8 must generate audit records for any use of the "passwd" command.Oracle Linux 8 Security Technical Implementation Guide V-248758CAT IIOL 8 must generate audit records for any use of the "mount" command.Oracle Linux 8 Security Technical Implementation Guide V-248759CAT IIOL 8 must generate audit records for any use of the "umount" command.Oracle Linux 8 Security Technical Implementation Guide V-248760CAT IIOL 8 must generate audit records for any use of the "mount" syscall.Oracle Linux 8 Security Technical Implementation Guide V-248761CAT IIOL 8 must generate audit records for any use of the "unix_update" command.Oracle Linux 8 Security Technical Implementation Guide V-248762CAT IIOL 8 must generate audit records for any use of the "postdrop" command.Oracle Linux 8 Security Technical Implementation Guide V-248763CAT IIOL 8 must generate audit records for any use of the "postqueue" command.Oracle Linux 8 Security Technical Implementation Guide V-248767CAT IIOL 8 must generate audit records for any use of the "setsebool" command.Oracle Linux 8 Security Technical Implementation Guide V-248768CAT IIOL 8 must generate audit records for any use of the "unix_chkpwd" command.Oracle Linux 8 Security Technical Implementation Guide V-248769CAT IIOL 8 must generate audit records for any use of the "ssh-keysign" command.Oracle Linux 8 Security Technical Implementation Guide V-248770CAT IIOL 8 must generate audit records for any use of the "setfacl" command.Oracle Linux 8 Security Technical Implementation Guide V-248771CAT IIOL 8 must generate audit records for any use of the "pam_timestamp_check" command.Oracle Linux 8 Security Technical Implementation Guide V-248772CAT IIOL 8 must generate audit records for any use of the "newgrp" command.Oracle Linux 8 Security Technical Implementation Guide V-248773CAT IIOL 8 must generate audit records for any use of the "init_module" and "finit_module" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248774CAT IIOL 8 must generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248779CAT IIOL 8 must generate audit records for any use of the "gpasswd" command.Oracle Linux 8 Security Technical Implementation Guide V-248781CAT IIOL 8 must generate audit records for any use of the delete_module syscall.Oracle Linux 8 Security Technical Implementation Guide V-248782CAT IIOL 8 must generate audit records for any use of the "crontab" command.Oracle Linux 8 Security Technical Implementation Guide V-248783CAT IIOL 8 must generate audit records for any use of the "chsh" command.Oracle Linux 8 Security Technical Implementation Guide V-248784CAT IIOL 8 must generate audit records for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248790CAT IIOL 8 must generate audit records for any use of the "chown", "fchown", "fchownat", and "lchown" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248791CAT IIOL 8 must generate audit records for any use of the "chmod", "fchmod", and "fchmodat" system calls.Oracle Linux 8 Security Technical Implementation Guide V-248797CAT IIOL 8 must generate audit records for any use of the "sudo" command.Oracle Linux 8 Security Technical Implementation Guide V-248798CAT IIOL 8 must generate audit records for any use of the "usermod" command.Oracle Linux 8 Security Technical Implementation Guide V-248799CAT IIOL 8 must generate audit records for any use of the "chacl" command.Oracle Linux 8 Security Technical Implementation Guide V-248800CAT IIOL 8 must generate audit records for any use of the "kmod" command.Oracle Linux 8 Security Technical Implementation Guide V-248801CAT IIOL 8 must generate audit records for any attempted modifications to the "faillock" log file.Oracle Linux 8 Security Technical Implementation Guide V-248802CAT IIOL 8 must generate audit records for any attempted modifications to the "lastlog" file.Oracle Linux 8 Security Technical Implementation Guide V-248803CAT IIOL 8 must enable auditing of processes that start prior to the audit daemon.Oracle Linux 8 Security Technical Implementation Guide V-248804CAT IIIOL 8 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.Oracle Linux 8 Security Technical Implementation Guide V-271519CAT IIOL 9 must have the audit package installed.Oracle Linux 9 Security Technical Implementation Guide V-271520CAT IIOL 9 audit service must be enabled.Oracle Linux 9 Security Technical Implementation Guide V-271527CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.Oracle Linux 9 Security Technical Implementation Guide V-271528CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.Oracle Linux 9 Security Technical Implementation Guide V-271529CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.Oracle Linux 9 Security Technical Implementation Guide V-271530CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.Oracle Linux 9 Security Technical Implementation Guide V-271531CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.Oracle Linux 9 Security Technical Implementation Guide V-271532CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.Oracle Linux 9 Security Technical Implementation Guide V-271533CAT IIOL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.Oracle Linux 9 Security Technical Implementation Guide V-271534CAT IIOL 9 must audit all uses of the unix_update command.Oracle Linux 9 Security Technical Implementation Guide V-271535CAT IIOL 9 must audit all uses of the su command.Oracle Linux 9 Security Technical Implementation Guide V-271536CAT IIOL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.Oracle Linux 9 Security Technical Implementation Guide V-271537CAT IIOL 9 must audit all uses of the chage command.Oracle Linux 9 Security Technical Implementation Guide V-271538CAT IIOL 9 must audit all uses of the chcon command.Oracle Linux 9 Security Technical Implementation Guide V-271539CAT IIOL 9 must audit all uses of the setfacl command.Oracle Linux 9 Security Technical Implementation Guide V-271540CAT IIOL 9 must audit all uses of the chsh command.Oracle Linux 9 Security Technical Implementation Guide V-271541CAT IIOL 9 must audit all uses of the crontab command.Oracle Linux 9 Security Technical Implementation Guide V-271542CAT IIOL 9 must audit all uses of the gpasswd command.Oracle Linux 9 Security Technical Implementation Guide V-271543CAT IIOL 9 must audit all uses of the newgrp command.Oracle Linux 9 Security Technical Implementation Guide V-271544CAT IIOL 9 must audit all uses of the pam_timestamp_check command.Oracle Linux 9 Security Technical Implementation Guide V-271545CAT IIOL 9 must audit all uses of the passwd command.Oracle Linux 9 Security Technical Implementation Guide V-271546CAT IIOL 9 must audit all uses of the postdrop command.Oracle Linux 9 Security Technical Implementation Guide V-271547CAT IIOL 9 must audit all uses of the postqueue command.Oracle Linux 9 Security Technical Implementation Guide V-271548CAT IIOL 9 must audit all uses of the ssh-agent command.Oracle Linux 9 Security Technical Implementation Guide V-271549CAT IIOL 9 must audit all uses of the ssh-keysign command.Oracle Linux 9 Security Technical Implementation Guide V-271550CAT IIOL 9 must audit all uses of the sudoedit command.Oracle Linux 9 Security Technical Implementation Guide V-271551CAT IIOL 9 must audit all uses of the unix_chkpwd command.Oracle Linux 9 Security Technical Implementation Guide V-271552CAT IIOL 9 must audit all uses of the userhelper command.Oracle Linux 9 Security Technical Implementation Guide V-271553CAT IIOL 9 must audit all uses of the mount command.Oracle Linux 9 Security Technical Implementation Guide V-271554CAT IIOL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.Oracle Linux 9 Security Technical Implementation Guide V-271555CAT IIOL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.Oracle Linux 9 Security Technical Implementation Guide V-271556CAT IIOL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.Oracle Linux 9 Security Technical Implementation Guide V-271557CAT IIOL 9 must audit all uses of the semanage command.Oracle Linux 9 Security Technical Implementation Guide V-271558CAT IIOL 9 must audit all uses of the setfiles command.Oracle Linux 9 Security Technical Implementation Guide