800-53|CM-3(5)

Title

AUTOMATED SECURITY RESPONSE

Description

The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.

Supplemental

Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: CONFIGURATION MANAGEMENT

Parent Title: CONFIGURATION CHANGE CONTROL

Family: CONFIGURATION MANAGEMENT

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.3.1 Ensure AIDE is installed	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - aide	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - cron	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - mail	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
20.59 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.59 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.60 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.60 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.60 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.60 Ensure 'System files must be monitored for unauthorized changes'	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
Big Sur - Configure the System to Notify upon Baseline Configuration Changes	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Catalina - Configure the System to Notify upon Baseline Configuration Changes	Unix	NIST macOS Catalina v1.5.0 - All Profiles
F5BI-DM-000211 - The BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.	F5	DISA F5 BIG-IP Device Management STIG v2r3
GEN000140 - A file integrity baseline must be created and maintained.	Unix	DISA STIG Solaris 10 SPARC v2r4
GEN000140 - A file integrity baseline must be created and maintained.	Unix	DISA STIG Solaris 10 X86 v2r4
GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - '/etc/aide.conf must exist'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - 'cryptographic hash is used '	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - 'database location'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - '/etc/aide.conf exists'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - 'database has been configured'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.	Unix	DISA STIG Solaris 10 SPARC v2r4
GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.	Unix	DISA STIG Solaris 10 X86 v2r4
GEN002260 - The system must be checked for extraneous device files at least weekly.	Unix	DISA STIG Solaris 10 X86 v2r4
GEN002260 - The system must be checked for extraneous device files at least weekly.	Unix	DISA STIG Solaris 10 SPARC v2r4
GEN002400 - The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.	Unix	DISA STIG Solaris 10 SPARC v2r4
GEN002400 - The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.	Unix	DISA STIG Solaris 10 X86 v2r4
GEN002460 - The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.	Unix	DISA STIG Solaris 10 SPARC v2r4
GEN002460 - The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.	Unix	DISA STIG Solaris 10 X86 v2r4
Monterey - Configure the System to Notify upon Baseline Configuration Changes	Unix	NIST macOS Monterey v1.0.0 - All Profiles
OL6-00-000016 - A file integrity tool must be installed.	Unix	DISA STIG Oracle Linux 6 v2r7
OL6-00-000302 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.	Unix	DISA STIG Oracle Linux 6 v2r7
OL6-00-000303 - The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.	Unix	DISA STIG Oracle Linux 6 v2r7
OL6-00-000305 - The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.	Unix	DISA STIG Oracle Linux 6 v2r7
OL6-00-000306 - The operating system must detect unauthorized changes to software and information.	Unix	DISA STIG Oracle Linux 6 v2r7
OL6-00-000307 - The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.	Unix	DISA STIG Oracle Linux 6 v2r7
OL07-00-020028 - The Oracle Linux operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-020030 - The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly - aide.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-020030 - The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly - cron.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-020040 - The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner - aide.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-020040 - The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner - cron.	Unix	DISA Oracle Linux 7 STIG v2r14
OL08-00-010358 - OL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.	Unix	DISA Oracle Linux 8 STIG v2r1
OL08-00-010360 - The OL 8 file integrity tool must notify the System Administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.	Unix	DISA Oracle Linux 8 STIG v2r1
PHTN-30-000013 - The Photon operating system must have the auditd service running.	Unix	DISA STIG VMware vSphere 7.0 Photon OS v1r3
PHTN-40-000016 The Photon operating system must enable the auditd service.	Unix	DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
PHTN-40-000237 The Photon operating system must configure AIDE to detect changes to baseline configurations.	Unix	DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
PHTN-67-000018 - The Photon operating system must have the auditd service running.	Unix	DISA STIG VMware vSphere 6.7 Photon OS v1r6
RHEL-07-020028 - The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-020030 - The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-020040 - The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15

Detections

Analytics