Subcontrol 8.8

[adammontville]

Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.

Measures

None provided

Metrics

Boolean value = 0 if enabled; otherwise 1;

[apiperCIS]

Inputs 1) List of endpoints 2) Approved configuration(s) for command line auditing of command shells (note: there may be multiple configurations based on the various types of endpoints, including various operating systems, etc.)

Operations 1) For each endpoint in Input 1, examine the endpoint to see if it is configured according to the appropriate approved configuration(s) from Input 2.
2) Create a list of endpoints that meet the approved configuration (M1) 3) Create a list of endpoints that do not meet the approved configuration (M2), noting the deviations.

Measures

• M1 = List of endpoints that meet the approved command shell logging configurations (compliant list)
• M2 = Total number of endpoints (count of Input 1)

Optional Measures:

• M3: List of endpoints that do not meet the approved command shell logging configurations (non-compliant list)
• M4: Count of non-compliant endpoints (count of M2)

Metrics Ratio of endpoints compliant with command shell logging configurations: M1 / M2