I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000304
<GroupDescription></GroupDescription>Group -
The operating system must notify system administrators and ISSOs of account enabling actions.
<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...Rule Medium Severity -
SRG-OS-000312
<GroupDescription></GroupDescription>Group -
The operating system must allow operating system admins to pass information to any other operating system admin or user.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have di...Rule Medium Severity -
SRG-OS-000312
<GroupDescription></GroupDescription>Group -
The operating system must allow operating system admins to grant their privileges to other operating system admins.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have di...Rule Medium Severity -
SRG-OS-000312
<GroupDescription></GroupDescription>Group -
The operating system must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have di...Rule Medium Severity -
SRG-OS-000324
<GroupDescription></GroupDescription>Group -
The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...Rule High Severity -
SRG-OS-000326
<GroupDescription></GroupDescription>Group -
The operating system must prevent all software from executing at higher privilege levels than users executing the software.
<VulnDiscussion>In certain situations, software applications/programs need to execute with elevated privileges to perform required functions....Rule Medium Severity -
SRG-OS-000327
<GroupDescription></GroupDescription>Group -
The operating system must audit the execution of privileged functions.
<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...Rule Medium Severity -
SRG-OS-000329
<GroupDescription></GroupDescription>Group -
The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000337
<GroupDescription></GroupDescription>Group -
The operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.
<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment,...Rule Medium Severity -
SRG-OS-000341
<GroupDescription></GroupDescription>Group -
The operating system must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
<VulnDiscussion>In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems n...Rule Low Severity -
SRG-OS-000342
<GroupDescription></GroupDescription>Group -
The operating system must offload audit records onto a different system or media from the system being audited.
<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common...Rule Low Severity -
SRG-OS-000343
<GroupDescription></GroupDescription>Group -
The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for a...Rule Low Severity -
SRG-OS-000344
<GroupDescription></GroupDescription>Group -
The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....Rule Medium Severity -
SRG-OS-000348
<GroupDescription></GroupDescription>Group -
The operating system must provide an audit reduction capability that supports on-demand audit review and analysis.
<VulnDiscussion>The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduct...Rule Low Severity -
SRG-OS-000349
<GroupDescription></GroupDescription>Group -
The operating system must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
<VulnDiscussion>If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, an...Rule Low Severity -
SRG-OS-000350
<GroupDescription></GroupDescription>Group -
The operating system must provide a report generation capability that supports on-demand audit review and analysis.
<VulnDiscussion>The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability...Rule Low Severity -
SRG-OS-000351
<GroupDescription></GroupDescription>Group -
The operating system must provide a report generation capability that supports on-demand reporting requirements.
<VulnDiscussion>The report generation capability must support on-demand reporting in order to facilitate the organization's ability to genera...Rule Low Severity -
SRG-OS-000352
<GroupDescription></GroupDescription>Group -
The operating system must provide a report generation capability that supports after-the-fact investigations of security incidents.
<VulnDiscussion>If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, ...Rule Low Severity -
SRG-OS-000353
<GroupDescription></GroupDescription>Group -
The operating system must not alter original content or time ordering of audit records when it provides an audit reduction capability.
<VulnDiscussion>If the audit reduction capability alters the content or time ordering of audit records, the integrity of the audit records is...Rule Medium Severity -
SRG-OS-000354
<GroupDescription></GroupDescription>Group -
The operating system must not alter original content or time ordering of audit records when it provides a report generation capability.
<VulnDiscussion>If the report generation capability alters the content or time ordering of audit records, the integrity of the audit records ...Rule Medium Severity -
SRG-OS-000355
<GroupDescription></GroupDescription>Group -
The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...Rule Medium Severity -
SRG-OS-000356
<GroupDescription></GroupDescription>Group -
The operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...Rule Medium Severity -
SRG-OS-000358
<GroupDescription></GroupDescription>Group -
The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.
<VulnDiscussion>Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records....Rule Medium Severity -
SRG-OS-000359
<GroupDescription></GroupDescription>Group -
The operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analys...Rule Low Severity -
SRG-OS-000360
<GroupDescription></GroupDescription>Group -
The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
<VulnDiscussion>An authorized user may intentionally or accidentally move or delete audit records without those specific actions being author...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.