Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Record Successful Access Attempts to Files - open_by_handle_at
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT
The <code>open_by_handle_at</code> syscall can be used to create new files when O_CREAT flag is specified. The following audit rules will assure t...Rule Medium Severity -
Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE
The audit system should collect detailed file access records for all users and root. The <code>open_by_handle_at</code> syscall can be used to modi...Rule Medium Severity -
Record Successful Creation Attempts to Files - open O_CREAT
The <code>open</code> syscall can be used to create new files when O_CREAT flag is specified. The following audit rules will assure that successfu...Rule Medium Severity -
Record Successful Creation Attempts to Files - open O_TRUNC_WRITE
The audit system should collect detailed file access records for all users and root. The <code>open</code> syscall can be used to modify files if c...Rule Medium Severity -
Record Successful Access Attempts to Files - openat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Successful Creation Attempts to Files - openat O_CREAT
The <code>openat</code> syscall can be used to create new files when O_CREAT flag is specified. The following audit rules will assure that success...Rule Medium Severity -
Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE
The audit system should collect detailed file access records for all users and root. The <code>openat</code> syscall can be used to modify files if...Rule Medium Severity -
Record Successful Permission Changes to Files - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Successful Delete Attempts to Files - rename
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <cod...Rule Medium Severity -
Record Successful Delete Attempts to Files - renameat
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <cod...Rule Medium Severity -
Record Successful Permission Changes to Files - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Successful Access Attempts to Files - truncate
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Successful Delete Attempts to Files - unlink
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <cod...Rule Medium Severity -
Record Successful Delete Attempts to Files - unlinkat
At a minimum, the audit system should collect file deletion for all users and root. If the <code>auditd</code> daemon is configured to use the <cod...Rule Medium Severity -
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
At a minimum the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to ...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - chmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - chown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - creat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmodat
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchownat
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - ftruncate
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - lchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open_by_handle_at
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used to create...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used ...Rule Medium Severity -
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessf...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to create new files wh...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to modify fil...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessf...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - openat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to create new files ...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to modify f...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessf...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - removexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - rename
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - renameat
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - setxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - unlink
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - truncate
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Delete Attempts to Files - unlinkat
The audit system should collect unsuccessful file deletion attempts for all users and root. If the <code>auditd</code> daemon is configured to use...Rule Medium Severity -
Record Information on Kernel Modules Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for b...Group -
Ensure auditd Collects Information on Kernel Module Unloading - create_module
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.