10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges
10.2.5.a Verify use of identification and authentication mechanisms is logged.
10.2.5.b Verify all elevation of privileges is logged.
10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.
Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account.