Guide to the Secure Configuration of Oracle Linux 9
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure auditing of successful file creations
Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file creation (open with O_CREAT) -a always,exit -F arch=b3...Rule Medium Severity -
Configure auditing of unsuccessful file deletions
Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file delete -a always,exit -F arch=b32 -S unlink,unlink...Rule Medium Severity -
Configure auditing of successful file deletions
Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,r...Rule Medium Severity -
Configure auditing of unsuccessful file modifications
Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file modifications (open for write or truncate) -a alwa...Rule Medium Severity -
Configure auditing of successful file modifications
Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modifications (open for write or truncate) -a always,e...Rule Medium Severity -
Configure auditing of unsuccessful ownership changes
Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: <pre>## Unsuccessful ownership change -a alway...Rule Medium Severity -
Configure auditing of successful ownership changes
Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: <pre>## Successful ownership change -a always,ex...Rule Medium Severity -
Configure auditing of unsuccessful permission changes
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pre>## Unsuccessful permission change -a always,exit...Rule Medium Severity -
Configure auditing of successful permission changes
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: <pre>## Successful permission change -a always,ex...Rule Medium Severity -
Install audispd-plugins Package
Theaudispd-pluginspackage can be installed with the following command:$ sudo yum install audispd-plugins
Rule Medium Severity -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be ena...Rule Medium Severity -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...Group -
Configure immutable Audit login UIDs
Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivile...Rule Medium Severity -
Ensure auditd Collects Information on Exporting to Media (successful)
At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read aud...Rule Medium Severity -
Record Events that Modify the System's Network Environment
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Events When Privileged Executables Are Run
Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: <pre>$ sudo grep execve /et...Rule Medium Severity -
Shutdown System When Auditing Failures Occur
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to to the bottom of a file...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/gshadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Access Events to Audit Log Directory
The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. <pre>-a always,exit -F dir=/var/log...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.