Skip to content

DISA STIG for Red Hat Enterprise Linux CoreOS

Rules and Groups employed by this XCCDF Profile

  • Resolve information before writing to audit logs

    To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set <code>log_format</code> to <code>ENRICHED</code> in <...
    Rule Low Severity
  • System Accounting with auditd

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settings for specific policies or use cases. The rules i...
    Group
  • Configure auditing of unsuccessful file accesses

    Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file access (any other opens) This has to go last. -a a...
    Rule Medium Severity
  • Configure auditing of unsuccessful file creations

    Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file creation (open with O_CREAT) -a always,exit -F arc...
    Rule Medium Severity
  • Configure auditing of unsuccessful file deletions

    Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file delete -a always,exit -F arch=b32 -S unlink,unlink...
    Rule Medium Severity
  • Configure immutable Audit login UIDs

    Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivile...
    Rule Medium Severity
  • Configure auditing of unsuccessful file modifications

    Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: <pre>## Unsuccessful file modifications (open for write or truncate) -a alwa...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...
    Group
  • Disable vsyscalls

    To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in <code>/boot/loader/...
    Rule Medium Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules