Skip to content

Australian Cyber Security Centre (ACSC) ISM Official

Rules and Groups employed by this XCCDF Profile

  • Ensure auditd Collects System Administrator Actions

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls

    At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present e...
    Group
  • Record Events that Modify the System's Discretionary Access Controls - chmod

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - chown

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Execution Attempts to Run SELinux Privileged Commands

    At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root.
    Group
  • Record Any Attempts to Run chcon

    At a minimum, the audit system should collect any execution attempt of the <code>chcon</code> command for all users and root. If the <code>auditd</...
    Rule Medium Severity
  • Record Any Attempts to Run restorecon

    At a minimum, the audit system should collect any execution attempt of the <code>restorecon</code> command for all users and root. If the <code>aud...
    Rule Medium Severity
  • Record Any Attempts to Run semanage

    At a minimum, the audit system should collect any execution attempt of the <code>semanage</code> command for all users and root. If the <code>audit...
    Rule Medium Severity
  • Record Any Attempts to Run setfiles

    At a minimum, the audit system should collect any execution attempt of the <code>setfiles</code> command for all users and root. If the <code>audit...
    Rule Medium Severity
  • Record Any Attempts to Run setsebool

    At a minimum, the audit system should collect any execution attempt of the <code>setsebool</code> command for all users and root. If the <code>audi...
    Rule Medium Severity
  • Record Any Attempts to Run seunshare

    At a minimum, the audit system should collect any execution attempt of the <code>seunshare</code> command for all users and root. If the <code>audi...
    Rule Medium Severity
  • Record Unauthorized Access Attempts Events to Files (unsuccessful)

    At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be presen...
    Group
  • Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

    At a minimum the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to ...
    Rule Medium Severity
  • Record Information on Kernel Modules Loading and Unloading

    To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for b...
    Group
  • Ensure auditd Collects Information on Kernel Module Loading and Unloading

    To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for b...
    Rule Medium Severity
  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Group
  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity
  • Record Attempts to Alter Logon and Logout Events - faillock

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity
  • Record Attempts to Alter Logon and Logout Events - lastlog

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules