Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Record Events that Modify User/Group Information - /etc/shadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Attempts to perform maintenance activities
The Red Hat Enterprise Linux 8 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions an...Rule Medium Severity -
Record Access Events to Audit Log Directory
The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory ...Rule Medium Severity -
System Audit Directories Must Be Group Owned By Root
All audit directories must be group owned by root user. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the grou...Rule Medium Severity -
System Audit Directories Must Be Owned By Root
All audit directories must be owned by root user. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner of <...Rule Medium Severity -
System Audit Logs Must Have Mode 0750 or Less Permissive
Verify the audit log directories have a mode of "0700" or less permissive by first determining where the audit logs are stored with the following ...Rule Medium Severity -
System Audit Logs Must Be Group Owned By Root
All audit logs must be group owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/au...Rule Medium Severity -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Audit Configuration Files Must Be Owned By Root
All audit configuration files must be owned by root user. To properly set the owner of <code>/etc/audit/</code>, run the command: <pre>$ sudo chow...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user and group. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner o...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.c...Rule Medium Severity -
Audit Configuration Files Permissions are 640 or More Restrictive
All audit configuration files permissions must be 640 or more restrictive.chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
System Audit Logs Must Have Mode 0640 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/aud...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls
At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present e...Group -
Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmodat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchownat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
net.ipv6.conf.default.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Configure Logwatch SplitHosts Line
If <code>SplitHosts</code> is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is...Rule Unknown Severity -
Configure audispd's Plugin disk_full_action When Disk Is Full
Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file <code>/etc/audit/audisp-re...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - umount
At a minimum, the audit system should collect file system umount changes. If the <code>auditd</code> daemon is configured to use the <code>augenrul...Rule Medium Severity -
Encrypt Audit Records Sent With audispd Plugin
Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. ...Rule Medium Severity -
net.ipv6.conf.default.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.default.forwarding
Toggle IPv6 default ForwardingValue -
Record Events that Modify the System's Discretionary Access Controls - umount2
At a minimum, the audit system should collect file system umount2 changes. If the <code>auditd</code> daemon is configured to use the <code>augenru...Rule Medium Severity -
Record Execution Attempts to Run ACL Privileged Commands
At a minimum, the audit system should collect the execution of ACL privileged commands for all users and root.Group -
Record Any Attempts to Run chacl
At a minimum, the audit system should collect any execution attempt of the <code>chacl</code> command for all users and root. If the <code>auditd</...Rule Medium Severity -
Record Any Attempts to Run setfacl
At a minimum, the audit system should collect any execution attempt of the <code>setfacl</code> command for all users and root. If the <code>auditd...Rule Medium Severity -
Record Execution Attempts to Run SELinux Privileged Commands
At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root.Group -
Record Any Attempts to Run chcon
At a minimum, the audit system should collect any execution attempt of the <code>chcon</code> command for all users and root. If the <code>auditd</...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - rmdir
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Record Any Attempts to Run restorecon
At a minimum, the audit system should collect any execution attempt of the <code>restorecon</code> command for all users and root. If the <code>aud...Rule Medium Severity -
Record Any Attempts to Run semanage
At a minimum, the audit system should collect any execution attempt of the <code>semanage</code> command for all users and root. If the <code>audit...Rule Medium Severity -
Record Any Attempts to Run setfiles
At a minimum, the audit system should collect any execution attempt of the <code>setfiles</code> command for all users and root. If the <code>audit...Rule Medium Severity -
Record Any Attempts to Run setsebool
At a minimum, the audit system should collect any execution attempt of the <code>setsebool</code> command for all users and root. If the <code>audi...Rule Medium Severity -
Record Any Attempts to Run seunshare
At a minimum, the audit system should collect any execution attempt of the <code>seunshare</code> command for all users and root. If the <code>audi...Rule Medium Severity -
Record File Deletion Events by User
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Group -
Ensure auditd Collects File Deletion Events by User
At a minimum the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use th...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - rename
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - renameat
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.