| 1.1.2.26 Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing' | CIS Windows 8 L1 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes' | CIS Windows 8 L1 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 1.13 Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc | CIS Docker Community Edition v1.1.0 L1 Linux Host OS | Unix | AUDIT AND ACCOUNTABILITY |
| 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians' (sysctl.conf/sysctl.d) | CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.3 Ensure auditing for processes that start prior to auditd is enabled | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.4 Ensure events that modify date and time information are collected - auditctl adjtimex | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.4 Ensure events that modify date and time information are collected - auditctl clock_settime b32 | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.4 Ensure events that modify date and time information are collected - auditctl time-change | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.4 Ensure events that modify date and time information are collected - clock_settime b64 | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.5 Ensure events that modify user/group information are collected - '/etc/security/opasswd' | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.5 Ensure events that modify user/group information are collected - '/etc/shadow' | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.6 Ensure events that modify the system's network environment are collected - issue | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - 'auditctl chmod' | CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - 'auditctl chown' | CIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl b64 chown/fchown/fchownat/lchown | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.15 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.15 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.17 Ensure kernel module loading and unloading is collected - insmod | CIS Amazon Linux v2.1.0 L2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2 Enable FTP daemon Logging - Make sure that exec is set to /usr/sbin/in.ftpd -a -l -d | CIS Solaris 10 L1 v5.2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.2 Ensure logging is configured | CIS Amazon Linux v2.1.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.2 Ensure logging is configured - '*.*;mail.none;news.none -/var/log/messages' | CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.2 Ensure logging is configured - '*.=warning;*.=err -/var/log/warn' | CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.2 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages' | CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.2 Ensure logging is configured - 'news.crit -/var/log/news/news.crit' | CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 5.1 Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category config | CIS BIND DNS v3.0.1 Caching Only Name Server | Unix | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category network | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | AUDIT AND ACCOUNTABILITY |
| Audit Audit Policy Change | MSCT Windows 10 1809 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit logon events | MSCT Windows 10 1809 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Other Logon/Logoff Events | MSCT Windows 10 1803 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Security System Extension | MSCT Windows 10 1809 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit User Account Management | MSCT Windows 10 1803 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | MSCT Windows 10 1803 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure discretionary access control permission modification events are collected - b32 chown fchown | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure events that modify date and time information are collected - audit.rules b64 clock_settime | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure events that modify date and time information are collected - auditctl b64 adjtimex | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure events that modify the system's network environment are collected - auditctl /etc/hosts | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure events that modify user/group information are collected - /etc/gshadow | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure events that modify user/group information are collected - /etc/shadow | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure kernel module loading and unloading is collected - insmod | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure successful file system mounts are collected - auditctl b64 | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure suspicious packets are logged - /etc/sysctl ipv4 default log_martians | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure suspicious packets are logged - sysctl ipv4 all log_martians | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure unsuccessful unauthorized file access attempts are collected - b32 EACCES | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Ensure unsuccessful unauthorized file access attempts are collected - b64 EACCES | Tenable Cisco Firepower Management Center OS Best Practices Audit | Unix | AUDIT AND ACCOUNTABILITY |
| Log dropped packets - PrivateProfile | MSCT Windows 10 1803 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Log successful connections - Public Profile | MSCT Windows 10 1809 v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Logs containing auditing information should be secured at the directory level. | TNS IBM HTTP Server Best Practice Middleware | Unix | AUDIT AND ACCOUNTABILITY |
