Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
Support session locking with tmux
The <code>tmux</code> terminal multiplexer is used to implement automatic session locking. It should be started from <code>/etc/bashrc</code> or dr...Rule Medium Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option ha...Rule Medium Severity -
Configure the tmux Lock Command
To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locki...Rule Medium Severity -
Prevent user from disabling the screen lock
Thetmuxterminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells.Rule Low Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Enforce usage of pam_wheel for su authentication
To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> comm...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...Group -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...Rule Medium Severity -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...Rule Low Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...Rule Low Severity -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a ma...Group -
Configure auditd flush priority
The <code>auditd</code> service can be configured to synchronously write audit event data to disk. Add or correct the following line in <code>/etc/...Rule Medium Severity -
Set number of records to cause an explicit flush to audit logs
To configure Audit daemon to issue an explicit flush to disk command after writing <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_aud...Rule Medium Severity -
Resolve information before writing to audit logs
To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set <co...Rule Low Severity -
Set type of computer node name logging in audit logs
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:su...Rule Medium Severity -
System Accounting with auditd
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settin...Group -
Configure auditing of unsuccessful file accesses
Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file accesses (AArch64)
Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file accesses (ppc64le)
Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of successful file accesses
Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Successful file acce...Rule Medium Severity -
Configure auditing of successful file accesses (AArch64)
Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Successful file acce...Rule Medium Severity -
Configure auditing of successful file accesses (ppc64le)
Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Successful file acce...Rule Medium Severity -
Configure basic parameters of Audit system
Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle s...Rule Medium Severity -
Configure auditing of unsuccessful file creations
Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file creations (AArch64)
Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file creations (ppc64le)
Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of successful file creations
Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file crea...Rule Medium Severity -
Configure auditing of successful file creations (AArch64)
Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file crea...Rule Medium Severity -
Configure auditing of successful file creations (ppc64le)
Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Successful file crea...Rule Medium Severity -
Configure auditing of unsuccessful file deletions
Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file deletions (AArch64)
Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file deletions (ppc64le)
Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of successful file deletions
Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file dele...Rule Medium Severity -
Configure auditing of successful file deletions (AArch64)
Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file dele...Rule Medium Severity -
Configure auditing of successful file deletions (ppc64le)
Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Successful file dele...Rule Medium Severity -
Configure immutable Audit login UIDs
Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special...Rule Medium Severity -
Configure auditing of unsuccessful file modifications
Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file modifications (AARch64)
Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of unsuccessful file modifications (ppc64le)
Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file ...Rule Medium Severity -
Configure auditing of successful file modifications
Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modi...Rule Medium Severity -
Configure auditing of successful file modifications (AArch64)
Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modi...Rule Medium Severity -
Configure auditing of successful file modifications (ppc64le)
Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Successful file modi...Rule Medium Severity -
Configure auditing of loading and unloading of kernel modules
Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: <pre>## These rules watch ...Rule Medium Severity -
Configure auditing of loading and unloading of kernel modules (ppc64le)
Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: <pre>## These rules watch ...Rule Medium Severity -
Perform general configuration of Audit for OSPP
Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...Rule Medium Severity -
Perform general configuration of Audit for OSPP (AArch64)
Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.