Guide to the Secure Configuration of Oracle Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Record Successful Access Attempts to Files - openat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read a...Rule Medium Severity -
Record Successful Creation Attempts to Files - openat O_CREAT
The <code>openat</code> syscall can be used to create new files when O_CREAT flag is specified. The following audit rules will assure that successful attempts to create a file via <code>openat</co...Rule Medium Severity -
Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE
The audit system should collect detailed file access records for all users and root. The <code>openat</code> syscall can be used to modify files if called for write operation with the O_TRUNC_WRITE...Rule Medium Severity -
Record Successful Permission Changes to Files - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Successful Delete Attempts to Files - renameat
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules du...Rule Medium Severity -
Record Successful Permission Changes to Files - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Successful Access Attempts to Files - truncate
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read a...Rule Medium Severity -
Record Successful Delete Attempts to Files - unlink
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules du...Rule Medium Severity -
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
At a minimum the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read au...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - chown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to rea...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - creat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read a...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmodat
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to rea...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchownat
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to rea...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - lchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - lastlog
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used to create new files when O_CREAT flag is specified. The fo...Rule Medium Severity -
Remote server for audispd to send audit records
The setting for remote_server in /etc/audisp/audisp-remote.confValue -
Action for audispd to take when disk is full
The setting for disk_full_action in /etc/audisp/audisp-remote.confValue -
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to modify files if called for write operation of with O_TRUNC_W...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files v...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to create new files when O_CREAT flag is specified. The following aui...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to modify files if called for write operation of with O_TRUNC...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files v...Rule Medium Severity -
Action for auditd to take when log files reach their maximum size
The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available: <br>ignore - audit daemon does nothing. <br>syslog - audit daemon will issue a warning to syslog....Value -
Action for auditd to take when disk space just starts to run low
The setting for space_left_action in /etc/audit/auditd.confValue -
Record Unsuccessful Delete Attempts to Files - rename
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - renameat
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - setxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading - init_module
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,ex...Rule Medium Severity -
The percentage remaining in disk space before prompting space_left_action
The setting for space_left as a percentage in /etc/audit/auditd.confValue -
Record Unsuccessful Delete Attempts to Files - unlink
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Unloading - create_module
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,e...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - tallylog
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - faillock
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - reboot
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - at
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - chage
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Configure audispd Plugin To Send Logs To Remote Server
Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the <code>remote_server</code> option in <pre>/etc/audisp/audisp-remote.c...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - mount
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Configure audispd's Plugin disk_full_action When Disk Is Full
Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file <code>/etc/audisp/audisp-remote.conf</code>. Add or modify the following lin...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.