Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
Prevent user from disabling the screen lock
Thetmuxterminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells.Rule Low Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Restrict Virtual Console Root Logins
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <...Rule Medium Severity -
Enforce usage of pam_wheel for su authentication
To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> comm...Rule Medium Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...Group -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...Rule Low Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...Group -
Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> ...Rule Medium Severity -
Ensure the Default C Shell Umask is Set Correctly
To ensure the default umask for users of the C shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> ...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...Group -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...Rule Medium Severity -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...Rule Low Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...Rule Low Severity -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a ma...Group -
Configure auditd flush priority
The <code>auditd</code> service can be configured to synchronously write audit event data to disk. Add or correct the following line in <code>/etc/...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.