Skip to content

Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Set number of records to cause an explicit flush to audit logs

    To configure Audit daemon to issue an explicit flush to disk command after writing <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_aud...
    Rule Medium Severity
  • Include Local Events in Audit Logs

    To configure Audit daemon to include local events in Audit logs, set <code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf<...
    Rule Medium Severity
  • Resolve information before writing to audit logs

    To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set <co...
    Rule Low Severity
  • Set type of computer node name logging in audit logs

    To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:su...
    Rule Medium Severity
  • Write Audit Logs to the Disk

    To configure Audit daemon to write Audit logs to the disk, set <code>write_logs</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>. ...
    Rule Medium Severity
  • System Accounting with auditd

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settin...
    Group
  • Configure auditing of unsuccessful file accesses

    Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file accesses

    Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Successful file acce...
    Rule Medium Severity
  • Configure basic parameters of Audit system

    Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle s...
    Rule Medium Severity
  • Configure auditing of unsuccessful file creations

    Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file creations

    Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file crea...
    Rule Medium Severity
  • Configure auditing of unsuccessful file deletions

    Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file deletions

    Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file dele...
    Rule Medium Severity
  • Configure immutable Audit login UIDs

    Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special...
    Rule Medium Severity
  • Configure auditing of unsuccessful file modifications

    Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...
    Rule Medium Severity
  • Configure auditing of successful file modifications

    Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modi...
    Rule Medium Severity
  • Configure auditing of loading and unloading of kernel modules

    Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: <pre>## These rules watch ...
    Rule Medium Severity
  • Perform general configuration of Audit for OSPP

    Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...
    Rule Medium Severity
  • Configure auditing of unsuccessful ownership changes

    Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described abo...
    Rule Medium Severity
  • Configure auditing of successful ownership changes

    Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above...
    Rule Medium Severity
  • Configure auditing of unsuccessful permission changes

    Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...
    Rule Medium Severity
  • Configure auditing of successful permission changes

    Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
  • Disable Recovery Booting

    Red Hat Enterprise Linux 8 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABL...
    Rule Medium Severity
  • Configure kernel to trust the CPU random number generator

    There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel...
    Rule Medium Severity
  • Enable Kernel Page-Table Isolation (KPTI)

    To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To e...
    Rule Low Severity
  • Disable vsyscalls

    To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. ...
    Rule Medium Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • zIPL bootloader configuration

    During the boot process, the bootloader is responsible for starting the execution of the kernel and passing options to it. The default Red Hat Ente...
    Group
  • Enable Auditing to Start Prior to the Audit Daemon in zIPL

    To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in <code>/boot/loader/entries...
    Rule Medium Severity
  • Extend Audit Backlog Limit for the Audit Daemon in zIPL

    To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in <code>/boo...
    Rule Medium Severity
  • Ensure all zIPL boot entries are BLS compliant

    Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that <code>/etc/zipl.conf</code> doesn't contain <code>i...
    Rule Medium Severity
  • Ensure zIPL bootmap is up to date

    Make sure that <code>/boot/bootmap</code> is up to date.<br> Every time a boot entry or zIPL configuration is changed <code>/boot/bootmap</code> ne...
    Rule Medium Severity
  • Enable page allocator poisoning in zIPL

    To enable poisoning of free pages, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>page_poison=1</code> included...
    Rule Medium Severity
  • Enable SLUB/SLAB allocator poisoning in zIPL

    To enable poisoning of SLUB/SLAB objects, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>slub_debug=P</code> in...
    Rule Medium Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group
  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command:
     $ sudo yum install rsyslog
    Rule Medium Severity
  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...
    Group
  • firewalld

    The dynamic firewall daemon <code>firewalld</code> provides a dynamically managed firewall with support for network “zones” to assign a level of tr...
    Group
  • Inspect and Activate Default firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffi...
    Group
  • Install firewalld Package

    The firewalld package can be installed with the following command:
    $ sudo yum install firewalld
    Rule Medium Severity
  • Verify firewalld Enabled

    The firewalld service can be enabled with the following command:
    $ sudo systemctl enable firewalld.service
    Rule Medium Severity
  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...
    Group
  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from ...
    Group
  • Configure Accepting Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ip...
    Rule Medium Severity
  • Disable Accepting ICMP Redirects for All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w...
    Rule Medium Severity
  • Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl...
    Rule Medium Severity
  • Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ne...
    Rule Medium Severity
  • Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysct...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules