Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
Perform general configuration of Audit for OSPP (ppc64le)
Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...Rule Medium Severity -
Configure auditing of unsuccessful ownership changes
Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described abo...Rule Medium Severity -
Configure auditing of unsuccessful ownership changes (AArch64)
Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described abo...Rule Medium Severity -
Configure auditing of unsuccessful ownership changes (ppc64le)
Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described abo...Rule Medium Severity -
Configure auditing of successful ownership changes
Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above...Rule Medium Severity -
Configure auditing of successful ownership changes (AArch64)
Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above...Rule Medium Severity -
Configure auditing of successful ownership changes (ppc64le)
Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above...Rule Medium Severity -
Configure auditing of unsuccessful permission changes
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...Rule Medium Severity -
Configure auditing of unsuccessful permission changes (AArch64)
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...Rule Medium Severity -
Configure auditing of unsuccessful permission changes (ppc64le)
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...Rule Medium Severity -
Configure auditing of successful permission changes
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...Rule Medium Severity -
Configure auditing of successful permission changes (AArch64)
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...Rule Medium Severity -
Configure auditing of successful permission changes (ppc64le)
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
Disable Recovery Booting
Red Hat Enterprise Linux 9 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABL...Rule Medium Severity -
Configure kernel to zero out memory before allocation
To configure the kernel to zero out memory before allocating it, add the <code>init_on_alloc=1</code> argument to the default GRUB 2 command line. ...Rule Medium Severity -
Enable randomization of the page allocator
To enable randomization of the page allocator in the kernel, add the <code>page_alloc.shuffle=1</code> argument to the default GRUB 2 command line....Rule Medium Severity -
Ensure debug-shell service is not enabled during boot
systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once e...Rule Medium Severity -
Disable vsyscalls
To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. ...Rule Medium Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.