CSCv6|16.10

Title

Profile each user's typical account usage by determining normal time-of-day access and access duration.

Description

Profile each user's typical account usage by determining normal time-of-day access and access duration. Reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration. This includes flagging the use of the user's credentials from a computer other than computers on which the user generally works.

Reference Item Details

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.1 Ensure that IP addresses are mapped to usernames - User ID AgentsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - ZonesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfacesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.1.8 Ensure login and logout events are collected - '/var/log/faillog'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.8 Ensure login and logout events are collected - '/var/log/faillog'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.8 Ensure login and logout events are collected - '/var/log/lastlog'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.8 Ensure login and logout events are collected - '/var/log/lastlog'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.8 Ensure login and logout events are collected - '/var/log/tallylog'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.8 Ensure login and logout events are collected - '/var/log/tallylog'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.8 Ensure login and logout events are collected - /var/log/lastlogUnixCIS Amazon Linux v2.1.0 L2
4.1.8 Ensure login and logout events are collected - /var/run/faillock/UnixCIS Amazon Linux v2.1.0 L2
4.1.8 Ensure login and logout events are collected - auditctl faillogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - auditctl faillogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.8 Ensure login and logout events are collected - auditctl lastlogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.8 Ensure login and logout events are collected - auditctl lastlogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - auditctl tallylogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - auditctl tallylogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.8 Ensure login and logout events are collected - faillogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - faillogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.8 Ensure login and logout events are collected - lastlogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - lastlogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.8 Ensure login and logout events are collected - tallylogUnixCIS Debian 8 Server L2 v2.0.2
4.1.8 Ensure login and logout events are collected - tallylogUnixCIS Debian 8 Workstation L2 v2.0.2
4.1.9 Ensure login and logout events are collected - auditctl faillogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - auditctl faillogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure login and logout events are collected - auditctl lastlogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - auditctl lastlogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure login and logout events are collected - auditctl tallylogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure login and logout events are collected - auditctl tallylogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - faillogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure login and logout events are collected - faillogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - lastlogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - lastlogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure login and logout events are collected - tallylogUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.9 Ensure login and logout events are collected - tallylogUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.9 Ensure session initiation information is collected - '/var/log/btmp'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.9 Ensure session initiation information is collected - '/var/log/btmp'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.10 Ensure session initiation information is collected - auditctl btmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - auditctl btmpUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.10 Ensure session initiation information is collected - auditctl utmpUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.10 Ensure session initiation information is collected - auditctl utmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - auditctl wtmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - auditctl wtmpUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.10 Ensure session initiation information is collected - btmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - btmpUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.10 Ensure session initiation information is collected - utmpUnixCIS Distribution Independent Linux Server L2 v2.0.0
4.1.10 Ensure session initiation information is collected - utmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - wtmpUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
4.1.10 Ensure session initiation information is collected - wtmpUnixCIS Distribution Independent Linux Server L2 v2.0.0