Detections
Analytics

800-53|CM-3

Title

CONFIGURATION CHANGE CONTROL

Description

The organization:

Supplemental

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Reference Item Details

Related: CA-7,CM-2,CM-4,CM-5,CM-6,CM-9,SA-10,SI-12,SI-2

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.2.3.1 Configure 'Registry policy processing' - NoBackgroundPolicyWindowsCIS Windows 2003 MS v3.1.0
1.2.2.3.1 Configure 'Registry policy processing' - NoBackgroundPolicyWindowsCIS Windows 2003 DC v3.1.0
1.2.2.3.1 Configure 'Registry policy processing' - NoGPOListChangesWindowsCIS Windows 2003 MS v3.1.0
1.2.2.3.1 Configure 'Registry policy processing' - NoGPOListChangesWindowsCIS Windows 2003 DC v3.1.0
1.2.2.3.2 Configure 'Do not apply during periodic background processing'WindowsCIS Windows 2003 DC v3.1.0
1.2.2.3.2 Configure 'Do not apply during periodic background processing'WindowsCIS Windows 2003 MS v3.1.0
1.2.2.3.3 Configure 'Process even if the Group Policy objects have not changed'WindowsCIS Windows 2003 MS v3.1.0
1.2.2.3.3 Configure 'Process even if the Group Policy objects have not changed'WindowsCIS Windows 2003 DC v3.1.0
1.2.3.7 Set 'Do not apply during periodic background processing' to 'Enabled:FALSE'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.8 Set 'Process even if the Group Policy objects have not changed' to 'Enabled:TRUE'WindowsCIS Windows 8 L1 v1.0.0
1.3.1 Ensure AIDE is installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - aideUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - cronUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - mailUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L2 Master
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.13 Benchmark v1.4.0 L1
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes Benchmark v1.5.1 L2
1.3.7 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.12.3 Registry policy processing (NoBackgroundPolicy) - Domain ControllerWindowsCIS Windows 2008 SSLF v1.2.0
1.12.3 Registry policy processing (NoBackgroundPolicy) - Domain ControllerWindowsCIS Windows 2008 Enterprise v1.2.0
1.12.3 Registry policy processing (NoBackgroundPolicy) - Member ServerWindowsCIS Windows 2008 Enterprise v1.2.0
1.12.3 Registry policy processing (NoBackgroundPolicy) - Member ServerWindowsCIS Windows 2008 SSLF v1.2.0
1.12.3 Registry policy processing (NoGPOListChanges) - Domain ControllerWindowsCIS Windows 2008 Enterprise v1.2.0
1.12.3 Registry policy processing (NoGPOListChanges) - Domain ControllerWindowsCIS Windows 2008 SSLF v1.2.0
1.12.3 Registry policy processing (NoGPOListChanges) - Member ServerWindowsCIS Windows 2008 Enterprise v1.2.0
1.12.3 Registry policy processing (NoGPOListChanges) - Member ServerWindowsCIS Windows 2008 SSLF v1.2.0
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removedamazon_awsCIS Amazon Web Services Foundations L1 1.3.0
18.8.21.1 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows Server 2012 R2 DC L1 v2.4.0
18.8.21.1 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows Server 2012 R2 MS L1 v2.4.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows Server 2012 DC L1 v2.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows 8.1 L1 Bitlocker v2.3.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows Server 2012 MS L1 v2.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows 8.1 L1 v2.3.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 v3.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0