Skip to content

OSPP - Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Configure the root Account for Failed Password Attempts

    This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</c...
    Rule Medium Severity
  • Set Interval For Counting Failed Password Attempts

    Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...
    Rule Medium Severity
  • Set Lockout Time for Failed Password Attempts

    This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...
    Rule Medium Severity
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...
    Group
  • Ensure PAM Enforces Password Requirements - Minimum Digit Characters

    The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

    The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Special Characters

    The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

    To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/sys...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

    The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Disable debug-shell SystemD Service

    SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
  • Verify that Interactive Boot is Disabled

    Fedora systems support an "interactive boot" option that can be used to prevent services from being started. On a Fedora system, interactive boot c...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...
    Rule Medium Severity
  • Configure Screen Locking

    When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...
    Group
  • Configure Console Screen Locking

    A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the in...
    Group
  • Install the screen Package

    To enable console screen locking, install the <code>screen</code> package. The <code>screen</code> package can be installed with the following comm...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Record Events that Modify User/Group Information via open syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

    The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/gshadow

    The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use th...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/passwd

    The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via openat syscall - /etc/shadow

    The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the...
    Rule Medium Severity
  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Mandatory Access Controls

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter Process and Session Initiation Information

    The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>auge...
    Rule Medium Severity
  • Ensure auditd Collects System Administrator Actions

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/group

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/gshadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/security/opasswd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/passwd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/shadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Access Events to Audit Log Directory

    The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules