Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to all BLS (Boot Lo...
    Rule Medium Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Audit failure mode

    This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit. This option lets you determine how you ...
    Value
  • Record Events that Modify User/Group Information via open syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

    The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Mandatory Access Controls

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules