Skip to content

OSPP - Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Record Events that Modify User/Group Information via open syscall - /etc/group

    The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

    The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules