Skip to content

DRAFT - Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Configure auditing of unsuccessful file creations

    Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file creations

    Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file crea...
    Rule Medium Severity
  • Configure auditing of unsuccessful file deletions

    Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file deletions

    Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file dele...
    Rule Medium Severity
  • Configure immutable Audit login UIDs

    Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special...
    Rule Medium Severity
  • Configure auditing of unsuccessful file modifications

    Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file modifications

    Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modi...
    Rule Medium Severity
  • Configure auditing of loading and unloading of kernel modules

    Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: <pre>## These rules watch ...
    Rule Medium Severity
  • Perform general configuration of Audit for OSPP

    Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...
    Rule Medium Severity
  • Configure auditing of unsuccessful ownership changes

    Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described abo...
    Rule Medium Severity
  • Configure auditing of successful ownership changes

    Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above...
    Rule Medium Severity
  • Configure auditing of unsuccessful permission changes

    Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...
    Rule Medium Severity
  • Configure auditing of successful permission changes

    Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
  • Configure kernel to zero out memory before allocation

    To configure the kernel to zero out memory before allocating it, add the <code>init_on_alloc=1</code> argument to the default GRUB 2 command line. ...
    Rule Medium Severity
  • Enable randomization of the page allocator

    To enable randomization of the page allocator in the kernel, add the <code>page_alloc.shuffle=1</code> argument to the default GRUB 2 command line....
    Rule Medium Severity
  • Disable vsyscalls

    To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. ...
    Rule Medium Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules