OSPP - Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
Record Events that Modify the System's Discretionary Access Controls
At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present e...Group -
Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmodat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchownat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...Rule Medium Severity -
Record Execution Attempts to Run SELinux Privileged Commands
At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root.Group -
Record Any Attempts to Run chcon
At a minimum, the audit system should collect any execution attempt of the <code>chcon</code> command for all users and root. If the <code>auditd</...Rule Medium Severity -
Record Any Attempts to Run restorecon
At a minimum, the audit system should collect any execution attempt of the <code>restorecon</code> command for all users and root. If the <code>aud...Rule Medium Severity -
Record Any Attempts to Run semanage
At a minimum, the audit system should collect any execution attempt of the <code>semanage</code> command for all users and root. If the <code>audit...Rule Medium Severity -
Record Any Attempts to Run setsebool
At a minimum, the audit system should collect any execution attempt of the <code>setsebool</code> command for all users and root. If the <code>audi...Rule Medium Severity -
Record Any Attempts to Run seunshare
At a minimum, the audit system should collect any execution attempt of the <code>seunshare</code> command for all users and root. If the <code>audi...Rule Medium Severity -
Record File Deletion Events by User
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Group -
Ensure auditd Collects File Deletion Events by User - rename
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - renameat
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - rmdir
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - unlink
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Ensure auditd Collects File Deletion Events by User - unlinkat
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use t...Rule Medium Severity -
Record Unauthorized Access Attempts Events to Files (unsuccessful)
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be presen...Group -
Record Unsuccessful Permission Changes to Files - chmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - chown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - creat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmod
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fchmodat
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - fchownat
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configured...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - fsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - ftruncate
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Ownership Changes to Files - lchown
The audit system should collect unsuccessful file ownership change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lremovexattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Permission Changes to Files - lsetxattr
The audit system should collect unsuccessful file permission change attempts for all users and root. If the <code>auditd</code> daemon is configure...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - open_by_handle_at
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used to create...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open_by_handle_at</code> syscall can be used ...Rule Medium Severity -
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessf...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - open O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to create new files wh...Rule Medium Severity -
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
The audit system should collect detailed unauthorized file accesses for all users and root. The <code>open</code> syscall can be used to modify fil...Rule Medium Severity -
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessf...Rule Medium Severity -
Record Unsuccessful Access Attempts to Files - openat
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to...Rule Medium Severity -
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
The audit system should collect unauthorized file accesses for all users and root. The <code>openat</code> syscall can be used to create new files ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.