Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Record Events that Modify the System's Discretionary Access Controls - fchmodat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchownat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> pr...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - umount
At a minimum, the audit system should collect file system umount changes. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemo...Rule Medium Severity -
Record Any Attempts to Run chcon
At a minimum, the audit system should collect any execution attempt of the <code>chcon</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...Rule Medium Severity -
Record Any Attempts to Run restorecon
At a minimum, the audit system should collect any execution attempt of the <code>restorecon</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>a...Rule Medium Severity -
Record Any Attempts to Run semanage
At a minimum, the audit system should collect any execution attempt of the <code>semanage</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>aug...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - renameat
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit r...Rule Medium Severity -
Record Any Attempts to Run setsebool
At a minimum, the audit system should collect any execution attempt of the <code>setsebool</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>au...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - unlink
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit r...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - chmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - chown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to rea...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmodat
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to rea...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read a...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open_by_handle_at
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read a...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used to modify files if called for write operation of w...Rule Medium Severity -
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files v...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to create new files when O_CREAT flag is specified. The following auidt...Rule Medium Severity -
Configure audispd Plugin To Send Logs To Remote Server
Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the <code>remote_server</code> option in <pre>/etc/audit/audisp-remote.co...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files v...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to create new files when O_CREAT flag is specified. The following aui...Rule Medium Severity -
Configure audispd's Plugin disk_full_action When Disk Is Full
Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file <code>/etc/audit/audisp-remote.conf</code>. Add or modify the following line...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files v...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - removexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to re...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - rename
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - renameat
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - unlink
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - unlinkat
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pr...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - lastlog
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - faillock
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - init
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - shutdown
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - at
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - chage
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - dbus helper
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - fusermount
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.