800-53|CM-5(1)

Title

AUTOMATED ACCESS ENFORCEMENT / AUDITING

Description

The information system enforces access restrictions and supports auditing of the enforcement actions.

Reference Item Details

Related: AU-12,AU-2,AU-6,CM-3,CM-6

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4.4 Ensure boot loader does not allow removable mediaUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - device_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5.9 Ensure local interactive user accounts umask is 077UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001325 - Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000840 - Adobe Acrobat Pro XI privileged file and folder locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001325 - Adobe Acrobat Pro XI privileged site locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001330 - Adobe Acrobat Pro XI privileged host locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001335 - Adobe Acrobat Pro XI certified document trust must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/groupUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/audit/configUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/environUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/groupUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/limitsUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/login.cfgUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/passwd readUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/passwd writeUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/userUnixDISA STIG AIX 7.x v2r5
AIX7-00-002107 - AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.UnixDISA STIG AIX 7.x v2r5
AIX7-00-002133 - AIX must be configured to use syslogd to log events by TCPD.UnixDISA STIG AIX 7.x v2r5
AIX7-00-003022 - AIX must disable trivial file transfer protocol.UnixDISA STIG AIX 7.x v2r5
AOSX-13-000554 - The macOS system must not have a guest account - Guest accountUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000554 - The macOS system must not have a guest account - Guest fdesetupUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-002110 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-002063 - The macOS system must disable the guest account.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.UnixDISA STIG Apple Mac OSX 10.15 v1r8
AOSX-15-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple Mac OSX 10.15 v1r8
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fdUnixDISA STIG Apple macOS 11 v1r5
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fdUnixDISA STIG Apple macOS 11 v1r6
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fmUnixDISA STIG Apple macOS 11 v1r6
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fmUnixDISA STIG Apple macOS 11 v1r5
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - frUnixDISA STIG Apple macOS 11 v1r5
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - frUnixDISA STIG Apple macOS 11 v1r6
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fwUnixDISA STIG Apple macOS 11 v1r5
APPL-11-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system - fwUnixDISA STIG Apple macOS 11 v1r6
APPL-11-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple macOS 11 v1r6
ARDC-CL-000315 - Adobe Reader DC must disable the ability to add Trusted Files and Folders.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CL-000320 - Adobe Reader DC must disable the ability to specify Host-Based Privileged Locations.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CN-000315 - Adobe Reader DC must disable the ability to add Trusted Files and Folders.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
ARDC-CN-000320 - Adobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1