Guide to the Secure Configuration of SUSE Linux Enterprise 15
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure auditd space_left on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file <code>/etc/audit/auditd.conf</code>. A...Rule Medium Severity -
Set number of records to cause an explicit flush to audit logs
To configure Audit daemon to issue an explicit flush to disk command after writing <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_auditd_freq" use="legacy"></xccdf-1.2:sub> records, s...Rule Medium Severity -
Include Local Events in Audit Logs
To configure Audit daemon to include local events in Audit logs, setlocal_eventstoyesin/etc/audit/auditd.conf. This is the default setting.Rule Medium Severity -
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit <code>/etc/audit/auditd.conf</code>. Set <code>overflow_action</cod...Rule Medium Severity -
Type of hostname to record the audit event
Type of hostname to record the audit eventValue -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be ena...Rule Medium Severity -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...Group -
Remove Default Configuration to Disable Syscall Auditing
By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from <code>/etc/au...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Network Environment
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Attempts to Alter Process and Session Initiation Information btmp
The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during d...Rule Medium Severity -
Record Events that Modify User/Group Information
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Attempts to perform maintenance activities
The SUSE Linux Enterprise 15 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating s...Rule Medium Severity -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls
At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify sy...Group -
Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> pr...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> pr...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - umount2
At a minimum, the audit system should collect file system umount2 changes. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daem...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.