Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Install audispd-plugins Package

    The audispd-plugins package can be installed with the following command:
    $ sudo yum install audispd-plugins
    Rule Medium Severity
  • Ensure the default plugins for the audit dispatcher are Installed

    The audit-audispd-plugins package should be installed.
    Rule Medium Severity
  • Ensure the audit-libs package as a part of audit Subsystem is Installed

    The audit-libs package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Audit failure mode

    This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit. This option lets you determine how you ...
    Value
  • Record Events that Modify User/Group Information via open syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • The percentage remaining in disk space before prompting admin_space_left_action

    The setting for admin_space_left as a percentage in /etc/audit/auditd.conf
    Value
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

    The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules