| 4.1.9 Ensure login and logout events are collected - auditctl faillog | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - auditctl lastlog | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - auditctl lastlog | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - auditctl tallylog | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - faillog | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - lastlog | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure login and logout events are collected - tallylog | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - auditctl btmp | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - auditctl btmp | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - auditctl utmp | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - auditctl wtmp | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - auditctl wtmp | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - btmp | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - wtmp | CIS Distribution Independent Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure session initiation information is collected - wtmp | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.5.4 Ensure default user shell timeout is configured | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation | Unix | ACCESS CONTROL |
| 5.5.4 Ensure default user shell timeout is configured | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server | Unix | ACCESS CONTROL |
| APPL-11-000012 - The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours. | DISA STIG Apple macOS 11 v1r8 | Unix | ACCESS CONTROL |
| APPL-13-000012 - The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours. | DISA STIG Apple macOS 13 v1r5 | Unix | ACCESS CONTROL |
| Big Sur - Disable FileVault Automatic Login | NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Disable FileVault Automatic Login | NIST macOS Big Sur v1.4.0 - 800-53r5 High | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Disable FileVault Automatic Login | NIST macOS Big Sur v1.4.0 - 800-53r5 Low | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Disable FileVault Automatic Login | NIST macOS Big Sur v1.4.0 - All Profiles | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| GEN000760 - Accounts must be locked upon 35 days of inactivity. | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN000760 - Accounts must be locked upon 35 days of inactivity. | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002750 - The audit system must be configured to audit account creation - '/etc/security/audit/config USER_Create exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002750 - The audit system must be configured to audit account creation - 'group' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002750 - The audit system must be configured to audit account creation - 'groupadd' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002750 - The audit system must be configured to audit account creation - 'passwd' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - '/etc/security/audit/config USER_Change exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - '/etc/security/audit/events USER_Change exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - 'group' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - 'gshadow' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - 'passwd' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - 'shadow' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002751 - The audit system must be configured to audit account modification - 'usermod' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002752 - The audit system must be configured to audit account disabling - '/etc/security/audit/config USER_Change exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002752 - The audit system must be configured to audit account disabling - '/etc/security/audit/config USER_Locked exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002752 - The audit system must be configured to audit account disabling - 'User audit class assignments should be reviewed' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002752 - The audit system must be configured to audit account disabling. | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN002753 - The audit system must be configured to audit account termination - '/etc/security/audit/config USER_Remove exists' | DISA STIG AIX 6.1 v1r14 | Unix | ACCESS CONTROL |
| GEN002753 - The audit system must be configured to audit account termination - 'groupdel' | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| GEN006660 - Accounts must be locked upon 35 days of inactivity. | DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit | Unix | ACCESS CONTROL |
| MS.AAD.4.1v1 - Security logs SHALL be sent to the agency's security operations center for monitoring. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| MS.DEFENDER.6.1v1 - Microsoft Purview Audit (Standard) logging SHALL be enabled. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| OL08-00-020270 - OL 8 must automatically expire temporary accounts within 72 hours. | DISA Oracle Linux 8 STIG v2r4 | Unix | ACCESS CONTROL |
| SLES-12-020230 - The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | DISA SLES 12 STIG v3r2 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| SLES-15-020061 - The SUSE operating system must automatically expire temporary accounts within 72 hours. | DISA SUSE Linux Enterprise Server 15 STIG v2r4 | Unix | ACCESS CONTROL |
| SLES-15-030000 - The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | DISA SUSE Linux Enterprise Server 15 STIG v2r4 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN11-AU-000040 - The system must be configured to audit Account Management - User Account Management successes. | DISA Microsoft Windows 11 STIG v2r3 | Windows | ACCESS CONTROL |
