OSPP - Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...Group -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple entries in pam files. Th...Rule Medium Severity -
Configure the root Account for Failed Password Attempts
This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple en...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of incorrect login attempts within a specified time peri...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_faillock.so</code>. Ensure that the file <code>/etc/s...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be requ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contai...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root she...Rule Medium Severity -
Verify that Interactive Boot is Disabled
Fedora systems support an "interactive boot" option that can be used to prevent services from being started. On a Fedora system, interactive boot can be enabled by providing a <code>1</code>, <code...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for s...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...Group -
Install the screen Package
To enable console screen locking, install the <code>screen</code> package. The <code>screen</code> package can be installed with the following command: <pre> $ sudo dnf install screen</pre> Instruc...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...Rule High Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissi...Group -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be ena...Rule Medium Severity -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB 2 command line for the Linux operating system. Co...Rule Low Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_limit=8192</code> to the default GRUB 2 command lin...Rule Low Severity -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...Group -
Record Events that Modify User/Group Information via open syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Attempts to Alter Process and Session Initiation Information
The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during d...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/group
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/gshadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/security/opasswd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/passwd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.