Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Rules, Groups, and Values defined within the XCCDF Benchmark
-
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...Group -
Install audispd-plugins Package
Theaudispd-plugins
package can be installed with the following command:$ sudo dnf install audispd-plugins
Rule Medium Severity -
Ensure the default plugins for the audit dispatcher are Installed
The audit-audispd-plugins package should be installed.Rule Medium Severity -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...Rule Medium Severity -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...Rule Low Severity -
Audit Configuration Files Permissions are 640 or More Restrictive
All audit configuration files permissions must be 640 or more restrictive.chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
Rule Medium Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...Rule Low Severity -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...Group -
Audit failure mode
This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit. This option lets you determine how you ...Value -
Record Events that Modify User/Group Information via open syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the ...Rule Medium Severity -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Number of Record to Retain Before Flushing to Disk
The setting for freq in /etc/audit/auditd.confValue -
Record Events that Modify User/Group Information via openat syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
System Audit Logs Must Have Mode 0640 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/aud...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...Rule Medium Severity -
Record Execution Attempts to Run SELinux Privileged Commands
At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root.Group -
Maximum audit log file size for auditd
The setting for max_log_file in /etc/audit/auditd.confValue -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls in usr/share
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Ensure auditd Collects Information on Exporting to Media (successful)
At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to u...Rule Medium Severity -
Record Events that Modify the System's Network Environment
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Attempts to Alter Process and Session Initiation Information
The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>auge...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions - /etc/sudoers
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Record Events When Executables Are Run As Another User
Verify the system generates an audit record when actions are run as another user. sudo provides users with temporary elevated privileges to perform...Rule Medium Severity -
Record Events When Privileged Executables Are Run
Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run t...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Shutdown System When Auditing Failures Occur
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/group
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/gshadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/security/opasswd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/passwd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/shadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user and group. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner o...Rule Medium Severity -
System Accounting with auditd
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settin...Group -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.c...Rule Medium Severity -
Record Attempts to perform maintenance activities
The Red Hat Enterprise Linux 9 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions an...Rule Medium Severity -
Record Access Events to Audit Log Directory
The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory ...Rule Medium Severity -
System Audit Directories Must Be Group Owned By Root
All audit directories must be group owned by root user. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the grou...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.