Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile OSPP - Protection Profile for General Purpose Operating Systems v. 4.2This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2). This Annex is consistent with CNSSI-1253, which requires US National Security Systems to adhere to certain configuration parameters. Accordingly, configuration guidance produced according to the requirements of this Annex is suitable for use in US National Security Systems.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
| Evaluation target | localhost.localdomain |
|---|---|
| Benchmark URL | /tmp/tmp.GMUqgtiYrj/input.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-7 |
| Profile ID | xccdf_org.ssgproject.content_profile_ospp42 |
| Started at | 2018-09-25T23:08:34 |
| Finished at | 2018-09-25T23:09:04 |
| Performed by | admin |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Addresses
- IPv4 127.0.0.1
- IPv4 192.168.122.24
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:5054:ff:fe89:b532
- MAC 00:00:00:00:00:00
- MAC 52:54:00:89:B5:32
Compliance and Scoring
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 92.306892 | 100.000000 |
Rule Overview
Result Details
Configure SSSD's Memory Cache to Expire
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_memcache_timeout |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80364-3 References: FIA_AFL.1, CCI-002007, IA-5(10), IA-5(13), SRG-OS-000383-GPOS-00166 |
| Description | SSSD's memory cache should be configured to set to expire records after 1 day.
To configure SSSD to expire memory cache, set [nss] memcache_timeout = 86400 |
| Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Configure SSSD to Expire Offline Credentials
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80365-0 References: FIA_AFL.1, CCI-002007, IA-5(13), SRG-OS-000383-GPOS-00166 |
| Description | SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
[pam] offline_credentials_expiration = 1 |
| Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Uninstall Automatic Bug Reporting Tool (abrt)
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | unknown |
| Identifiers and References | |
| Description | The Automatic Bug Reporting Tool ( $ sudo yum erase abrt |
| Rationale | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. |
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80288-4 References: CM-7 |
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The $ sudo yum erase sendmail |
| Rationale | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. |
Disable SSH Support for User Known Hosts
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80372-6 References: FIA_AFL.1, RHEL-07-040380, SV-86873r2_rule, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(a), SRG-OS-000480-GPOS-00227 |
| Description | SSH can allow system users user host-based authentication to connect
to systems if a cache of the remote systems public keys are available.
This should be disabled.
IgnoreUserKnownHosts yes |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. |
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27471-2 References: FIA_AFL.1, RHEL-07-010300, SV-86563r2_rule, 5.2.9, 5.5.6, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-3, AC-6, CM-6(b), SRG-OS-000480-GPOS-00229 |
| Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
Disable SSH Support for Rhosts RSA Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80373-4 References: FIA_AFL.1, RHEL-07-040330, SV-86863r3_rule, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(a), SRG-OS-000480-GPOS-00227 |
| Description | SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
RhostsRSAAuthentication no |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| Warnings | warning
As of openssh-server version 7.4 and above,
the RhostsRSAAuthentication option has been deprecated, and the line
RhostsRSAAuthentication noin /etc/ssh/sshd_config is not
necessary. |
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80221-5 References: FIA_AFL.1, RHEL-07-040440, SV-86885r2_rule, 3.1.12, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(c), SRG-OS-000364-GPOS-00151 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. |
Disable SSH Support for .rhosts Files
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27377-1 References: FIA_AFL.1, RHEL-07-040350, SV-86867r2_rule, 5.2.6, 5.5.6, 3.1.12, CCI-000366, AC-3, CM-6(a), SRG-OS-000480-GPOS-00227 |
| Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via IgnoreRhosts yes |
| Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27413-4 References: FIA_AFL.1, RHEL-07-010470, SV-86583r2_rule, 5.2.7, 5.5.6, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-3, CM-6(b), SRG-OS-000480-GPOS-00229 |
| Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no |
| Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80220-7 References: FIA_AFL.1, RHEL-07-040430, SV-86883r2_rule, 3.1.12, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(c), SRG-OS-000364-GPOS-00151 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. |
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27445-6 References: FIA_AFL.1, RHEL-07-040370, SV-86871r2_rule, 5.2.8, 5.5.6, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-3, AC-6(2), IA-2(1), IA-2(5), SRG-OS-000480-GPOS-00227 |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. |
The Installed Operating System Is Vendor Supported and Certified
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_certified |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80349-4 References: RHEL-07-020250, SV-86621r2_rule, CCI-000366, SI-2(c), SRG-OS-000480-GPOS-00227 |
| Description | The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. |
| Rationale | An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. |
Enable FIPS Mode in GRUB2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode |
| Result | pass |
| Time | 2018-09-25T23:08:36 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80359-3 References: RHEL-07-021350, SV-86691r3_rule, 5.10.1.2, 3.13.8, 3.13.11, CCI-000068, CCI-002450, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223 |
| Description | To ensure FIPS mode is enabled, install package $ sudo yum install dracut-fips dracut -fAfter the dracut command has been run, add the argument fips=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -ocommand as follows:
|
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| Warnings | warning
Running dracut -fwill overwrite the existing initramfs file. warning
The system needs to be rebooted for these changes to take effect. warning
The ability to enable FIPS does not denote FIPS compliancy or certification.
Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community
projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy.
Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.
See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. |
Verify File Hashes with RPM
| Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27157-7 References: RHEL-07-010020, SV-86479r2_rule, 1.2.6, 5.10.4.1, 3.3.8, 3.4.1, CCI-000663, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-6(d), CM-6(3), SI-7(1), Req-11.5, SRG-OS-000480-GPOS-00227 |
| Description | Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va | grep '^..5'A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAMEThe package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME |
| Rationale | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. |
Ensure gpgcheck Enabled For All Yum Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-26876-3 References: FAU_GEN.1.1.c, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, MA-1(b), Req-6.2, 366 |
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in gpgcheck=0 |
| Rationale | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | notchecked |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-26895-3 References: FMT_MOF_EXT.1, RHEL-07-020260, SV-86623r3_rule, 1.8, 5.10.4.1, CCI-000366, SI-2, SI-2(c), MA-1(b), Req-6.2, SRG-OS-000480-GPOS-00227 |
| Description | If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
| Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
Ensure Red Hat GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-26957-1 References: FAU_GEN.1.1.c, 1.2.3, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, MA-1(b), Req-6.2, 366 |
| Description | To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY |
| Rationale | Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. |
Ensure gpgcheck Enabled In Main Yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-26989-4 References: FAU_GEN.1.1.c, RHEL-07-020050, SV-86601r1_rule, 1.2.2, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, MA-1(b), Req-6.2, SRG-OS-000366-GPOS-00153 |
| Description | The gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the overall security
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
|
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80347-8 References: FAU_GEN.1.1.c, RHEL-07-020060, SV-86603r1_rule, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SRG-OS-000366-GPOS-00153 |
| Description |
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
|
Ensure Users Cannot Change GNOME3 Session Idle Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80544-0 References: FMT_MOF_EXT.1, RHEL-07-010082, SV-87809r3_rule, 3.1.10, CCI-000057, AC-11(a), SRG-OS-00029-GPOS-0010 |
| Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
Set GNOME3 Screensaver Lock Delay After Activation Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80370-0 References: FMT_MOF_EXT.1, RHEL-07-010110, SV-86525r2_rule, 3.1.10, CCI-000056, AC-11(a), Req-8.1.8, OS-SRG-000029-GPOS-00010 |
| Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set [org/gnome/desktop/screensaver] lock-delay=uint32 0Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
Disable Full User Name on Splash Shield
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-80114-2 References: FMT_MOF_EXT.1 |
| Description | By default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
[org/gnome/desktop/screensaver] show-full-name-in-top-bar=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-barAfter the settings have been set, run dconf update. |
| Rationale | Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. |
Ensure Users Cannot Change GNOME3 Screensaver Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80371-8 References: FMT_MOF_EXT.1, RHEL-07-010081, SV-87807r3_rule, 3.1.10, CCI-000057, AC-11(a), SRG-OS-00029-GPOS-0010 |
| Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
Enable GNOME3 Screensaver Idle Activation
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80111-8 References: FMT_MOF_EXT.1, RHEL-07-010100, SV-86523r3_rule, 5.5.5, 3.1.10, CCI-000057, AC-11(a), Req-8.1.8, SRG-OS-000029-GPOS-00010 |
| Description | To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set [org/gnome/desktop/screensaver] idle_activation_enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
|
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80110-0 References: FMT_MOF_EXT.1, RHEL-07-010070, SV-86517r4_rule, 5.5.5, 3.1.10, CCI-000057, AC-11(a), Req-8.1.8, SRG-OS-000029-GPOS-00010 |
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the [org/gnome/desktop/session] idle-delay='uint32 900'Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. |
Implement Blank Screensaver
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-80113-4 References: FMT_MOF_EXT.1, 5.5.5, 3.1.10, CCI-000060, AC-11(b), Req-8.1.8 |
| Description | To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set [org/gnome/desktop/screensaver] picture-uri=''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uriAfter the settings have been set, run dconf update. |
| Rationale | Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80112-6 References: FMT_MOF_EXT.1, RHEL-07-010060, SV-86515r4_rule, 5.5.5, 3.1.10, CCI-000056, AC-11(b), Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011 |
| Description | To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set [org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80104-3 References: FIA_AFL.1, RHEL-07-010440, SV-86577r1_rule, 3.1.1, CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00229 |
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the [daemon] AutomaticLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. |
Set the GNOME3 Login Number of Failures
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80109-2 References: FMT_MOF_EXT.1, 3.1.8 |
| Description | In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
[org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failuresAfter the settings have been set, run dconf update. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. |
Disable GDM Guest Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80105-0 References: FIA_AFL.1, RHEL-07-010450, SV-86579r2_rule, 3.1.1, CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00229 |
| Description | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the [daemon] TimedLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. |
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27343-3 References: FAU_GEN.1.1.c, RHEL-07-031000, SV-86833r1_rule, 4.2.1.4, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), A.12.3.1, AU-3(2), AU-4(1), AU-9, SRG-OS-000480-GPOS-00227 |
| Description | To configure rsyslog to send logs to a remote log server,
open *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. |
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80380-9 References: FAU_GEN.1.1.c, RHEL-07-021100, SV-86675r1_rule, CCI-000366, AU-2(d), SRG-OS-000480-GPOS-00227 |
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron.* /var/log/cron |
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. |
Set Default firewalld Zone for Incoming Packets
| Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone |
| Result | fail |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27349-0 References: FMT_MOF_EXT.1, RHEL-07-040810, SV-86939r2_rule, 5.10.1, 3.1.3, 3.4.7, 3.13.6, CCI-000366, CM-6(b), CM-7, SRG-OS-000480-GPOS-00227 |
| Description | To set the default zone to DefaultZone=drop |
| Rationale | In |
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27361-5 References: FMT_MOF_EXT.1, RHEL-07-040520, SV-86897r1_rule, 4.7, 3.1.3, 3.4.7, CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227 |
| Description | The $ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | fail |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27309-4 References: FIA_AFL.1, RHEL-07-010480, SV-86585r4_rule, 1.4.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), IA-2(1), IA-5(e), AC-3, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpasswordWhen prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. |
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above. |
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80354-4 References: FIA_AFL.1, RHEL-07-010490, SV-86587r3_rule, 1.4.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpasswordWhen prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. |
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above. |
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | pass |
| Time | 2018-09-25T23:09:02 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27279-9 References: RHEL-07-020220, SV-86615r3_rule, 1.6.1.3, 3.1.2, 3.7.2, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), SRG-OS-000445-GPOS-00199 |
| Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to |
Ensure No Daemons are Unconfined by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27288-0 References: 1.6.1.6, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), AC-6, AU-9, CM-7 |
| Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system. |
| Rationale | Daemons which run with the |
Ensure No Device Files are Unlabeled by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27326-8 References: RHEL-07-020900, SV-86663r1_rule, 3.1.2, 3.1.5, 3.7.2, CCI-000022, CCI-000032, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, AC-6, AU-9, CM-3(f), CM-7, SRG-OS-000480-GPOS-00227 |
| Description | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files do not carry the SELinux type $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system. |
| Rationale | If a device file carries the SELinux type |
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27334-2 References: RHEL-07-020210, SV-86613r2_rule, 1.6.1.2, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), SRG-OS-000445-GPOS-00199 |
| Description | The SELinux state should be set to SELINUX=enforcing |
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. |
Set Password Minimum Length in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27123-9 References: FMT_MOF_EXT.1, 5.6.2.1, 3.5.7, IA-5(f), IA-5(1)(a) |
| Description | To specify password length requirements for new accounts,
edit the file PASS_MIN_LEN 15 The DoD requirement is 15.
The FISMA requirement is 12.
The profile requirement is 15.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements. |
| Rationale | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. |
Prevent Log In to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27286-4 References: FIA_AFL.1, RHEL-07-010290, SV-86561r2_rule, 5.5.2, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-6, IA-5(b), IA-5(c), IA-5(1)(a), Req-8.2.3, SRG-OS-000480-GPOS-00227 |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the |
| Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
Set Interactive Session Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27557-8 References: FMT_MOF_EXT.1, RHEL-07-040160, SV-86847r3_rule, 3.1.11, CCI-001133, CCI-000361, AC-12, SC-10, SRG-OS-000163-GPOS-00072 |
| Description | Setting the TMOUT=600 |
| Rationale | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. |
Install the screen Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_screen_installed |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27351-6 References: FMT_MOF_EXT.1, RHEL-07-010090, SV-86521r1_rule, 3.1.10, CCI-000057, AC-11(a), SRG-OS-000029-GPOS-00010 |
| Description | To enable console screen locking, install the $ sudo yum install screenInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but des not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
|
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27287-2 References: FIA_AFL.1, RHEL-07-010481, SV-92519r1_rule, 1.4.3, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), IA-2(1), AC-3, SRG-OS-000080-GPOS-00048, RHEL-07-010481, SV-92519r1_rule |
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
|
| Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Verify that Interactive Boot is Disabled
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27335-9 References: FIA_AFL.1, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), SC-2, AC-3 |
| Description | Red Hat Enterprise Linux systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 7
system, interactive boot can be enabled by providing a systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. |
| Rationale | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | notchecked |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80206-6 References: FIA_AFL.1, 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) |
| Description | SystemD's $ sudo systemctl disable debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80353-6 References: FMT_MOF_EXT.1, RHEL-07-010330, SV-86569r2_rule, CCI-002238, AC-7(b), SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 |
| Description | To configure the system to lock out the
|
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
Set Lockout Time For Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-26884-7 References: FMT_MOF_EXT.1, RHEL-07-010320, SV-86567r3_rule, 5.3.2, 5.5.3, 3.1.8, CCI-002238, AC-7(b), Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
|
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. |
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27297-1 References: FMT_MOF_EXT.1, RHEL-07-010320, SV-86567r3_rule, CCI-002238, AC-7(b), SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 |
| Description | Utilizing
|
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
Set Deny For Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27350-8 References: FMT_MOF_EXT.1, RHEL-07-010320, SV-86567r3_rule, 5.3.2, 5.5.3, 3.1.8, CCI-002238, AC-7(b), Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts using
|
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. |
Set Password Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27293-0 References: FMT_MOF_EXT.1, RHEL-07-010280, SV-86559r1_rule, 6.3.2, 5.6.2.1.1, CCI-000205, IA-5(1)(a), Req-8.2.3, SRG-OS-000078-GPOS-00046 |
| Description | The pam_pwquality module's |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
|
Set Password Strength Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27214-6 References: FMT_MOF_EXT.1, RHEL-07-010140, SV-86531r2_rule, 6.3.2, CCI-000194, IA-5(1)(a), IA-5(b), IA-5(c), 194, Req-8.2.3, SRG-OS-000071-GPOS-00039 |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Set Password Strength Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27360-7 References: FMT_MOF_EXT.1, RHEL-07-010150, SV-86533r1_rule, CCI-001619, IA-5(b), IA-5(c), IA-5(1)(a), SRG-OS-000266-GPOS-00101 |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Set Password Strength Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27345-8 References: FMT_MOF_EXT.1, RHEL-07-010130, SV-86529r4_rule, CCI-000193, IA-5(b), IA-5(c), IA-5(1)(a), Req-8.2.3, SRG-OS-000070-GPOS-00038 |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Set Password Strength Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27200-5 References: FMT_MOF_EXT.1, RHEL-07-010120, SV-86527r2_rule, 6.3.2, CCI-000192, IA-5(b), IA-5(c), IA-5(1)(a), Req-8.2.3, SRG-OS-000069-GPOS-00037 |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
|
Set Password Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27160-1 References: FMT_MOF_EXT.1, RHEL-07-010119, SV-87811r3_rule, 6.3.2, 5.5.3, CCI-000366, CM-6(b), IA-5(c), SRG-OS-000480-GPOS-00225 |
| Description | To configure the number of retry prompts that are permitted per-session:
|
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
Encrypt Audit Records Sent With audispd Plugin
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records |
| Result | notchecked |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80540-8 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030310, SV-86709r1_rule |
| Description | Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes |
| Rationale | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
Configure audispd Plugin To Send Logs To Remote Server
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server |
| Result | notchecked |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80541-6 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030300, SV-86707r1_rule |
| Description | Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the /etc/audisp/audisp-remote.confwith an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: remote_server = REMOTE_SYSTEM |
| Rationale | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. |
Configure auditd to use audispd's syslog plugin
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27341-7 References: FAU_GEN.1.1.c, 5.4.1.1, 3.3.1, CCI-000136, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), AU-1(b), AU-3(2), IR-5, Req-10.5.3 |
| Description | To configure the $ sudo service auditd restart |
| Rationale | The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server |
Ensure auditd Collects Information on Kernel Module Unloading - rmmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80416-1 References: FAU_GEN.1.1.c, RHEL-07-030850, SV-86817r3_rule, 5.2.17, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 |
| Description | To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: -w /usr/sbin/rmmod -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80417-9 References: FAU_GEN.1.1.c, RHEL-07-030860, SV-86819r3_rule, 5.2.17, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 |
| Description | To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: -w /usr/sbin/modprobe -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80415-3 References: FAU_GEN.1.1.c, RHEL-07-030830, SV-86813r3_rule, 5.2.17, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 |
| Description | To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading - insmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80446-8 References: FAU_GEN.1.1.c, RHEL-07-030840, SV-86815r3_rule, 5.2.17, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 |
| Description | To capture invocation of insmod, utility used to insert modules into kernel, use the following line: -w /usr/sbin/insmod -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80414-6 References: FAU_GEN.1.1.c, RHEL-07-030820, SV-86811r3_rule, 5.2.17, 3.1.7, CCI-000172, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 |
| Description | To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80384-1 References: FAU_GEN.1.1.c, RHEL-07-030620, SV-86771r2_rule, 5.2.8, 3.1.7, CCI-000172, CCI-002884, CCI-000126, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 |
| Description | The audit system already collects login information for all users
and root. If the -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80383-3 References: FAU_GEN.1.1.c, RHEL-07-030610, SV-86769r3_rule, 5.2.8, 3.1.7, CCI-000172, CCI-002884, CCI-000126, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 |
| Description | The audit system already collects login information for all users
and root. If the -w /var/run/faillock/ -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock/ -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Record Attempts to Alter Logon and Logout Events - tallylog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80382-5 References: FAU_GEN.1.1.c, RHEL-07-030600, SV-86767r2_rule, 5.2.8, 3.1.7, CCI-000172, CCI-002884, CCI-000126, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 |
| Description | The audit system already collects login information for all users
and root. If the -w /var/log/tallylog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27356-5 References: FAU_GEN.1.1.c, RHEL-07-030380, SV-86723r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27213-8 References: FAU_GEN.1.1.c, RHEL-07-030440, SV-86735r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27389-6 References: FAU_GEN.1.1.c, RHEL-07-030450, SV-86737r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27364-9 References: FAU_GEN.1.1.c, RHEL-07-030370, SV-86721r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27387-0 References: FAU_GEN.1.1.c, RHEL-07-030400, SV-86727r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27083-5 References: FAU_GEN.1.1.c, RHEL-07-030390, SV-86725r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27339-1 References: FAU_GEN.1.1.c, RHEL-07-030410, SV-86729r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27367-2 References: FAU_GEN.1.1.c, RHEL-07-030470, SV-86741r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27353-2 References: FAU_GEN.1.1.c, RHEL-07-030480, SV-86743r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27280-7 References: FAU_GEN.1.1.c, RHEL-07-030460, SV-86739r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27393-8 References: FAU_GEN.1.1.c, RHEL-07-030420, SV-86731r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27410-0 References: FAU_GEN.1.1.c, RHEL-07-030490, SV-86745r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27388-8 References: FAU_GEN.1.1.c, RHEL-07-030430, SV-86733r3_rule, 5.2.10, 5.4.1.1, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Any Attempts to Run seunshare
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80392-4 References: FAU_GEN.1.1.c, RHEL-07-030570, SV-86761r3_rule, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80391-6 References: FAU_GEN.1.1.c, RHEL-07-030560, SV-86759r3_rule, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80393-2 References: FAU_GEN.1.1.c, RHEL-07-030580, SV-86763r3_rule, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Record Any Attempts to Run restorecon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80394-0 References: FAU_GEN.1.1.c, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80412-0 References: FAU_GEN.1.1.c, RHEL-07-030900, SV-86827r3_rule, 5.2.14, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27206-2 References: FAU_GEN.1.1.c, RHEL-07-030920, SV-86831r3_rule, 5.2.14, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27206-2 References: FAU_GEN.1.1.c, RHEL-07-030880, SV-86823r3_rule, 5.2.14, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80413-8 References: FAU_GEN.1.1.c, RHEL-07-030890, SV-86825r3_rule, 5.2.14, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27206-2 References: FAU_GEN.1.1.c, RHEL-07-030910, SV-86829r3_rule, 5.2.14, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80395-7 References: FAU_GEN.1.1.c, RHEL-07-030630, SV-86773r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo | ||||||
| Result | fail | ||||||
| Time | 2018-09-25T23:09:03 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-80401-3 References: FAU_GEN.1.1.c, RHEL-07-030690, SV-86785r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 | ||||||
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80404-7 References: RHEL-07-030720, SV-86791r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80398-1 References: RHEL-07-030660, SV-86779r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80399-9 References: FAU_GEN.1.1.c, RHEL-07-030670, SV-86781r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80410-4 References: RHEL-07-030800, SV-86807r2_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80405-4 References: RHEL-07-030750, SV-86797r4_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80396-5 References: FAU_GEN.1.1.c, RHEL-07-030640, SV-86775r4_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80409-6 References: 3.1.7, CCI-000135, CCI-000172, CCI-002884, AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80408-8 References: FAU_GEN.1.1.c, RHEL-07-030780, SV-86803r2_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit | ||||||
| Result | fail | ||||||
| Time | 2018-09-25T23:09:03 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-80402-1 References: FAU_GEN.1.1.c, RHEL-07-030730, SV-86793r4_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 | ||||||
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80397-3 References: FAU_GEN.1.1.c, RHEL-07-030650, SV-86777r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80400-5 References: FAU_GEN.1.1.c, RHEL-07-030680, SV-86783r4_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80403-9 References: FAU_GEN.1.1.c, RHEL-07-030710, SV-86789r3_rule, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-3(1), AU-12(c), SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Record Unsuccessul Delete Attempts to Files - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Record Unsuccessul Permission Changes to Files - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Modification Attempts to Files - open O_TRUNC
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Record Unsuccessul Ownership Changes to Files - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Creation Attempts to Files - openat O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Record Unsuccessul Ownership Changes to Files - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Access Attempts to Files (unsuccessful) - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80389-0 References: FAU_GEN.1.1.c, RHEL-07-030540, SV-86755r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessul Permission Changes to Files - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Ownership Changes to Files - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Ownership Changes to Files - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Permission Changes to Files - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Permission Changes to Files - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Permission Changes to Files - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Access Attempts to Files (unsuccessful) - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80385-8 References: FAU_GEN.1.1.c, RHEL-07-030500, SV-86747r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unauthorized Creation Attempts to Files - open O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Record Unsuccessul Permission Changes to Files - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unsuccessul Delete Attempts to Files - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Record Unsuccessul Permission Changes to Files - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
| Rationale | The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
| Rationale | The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
Record Unauthorized Access Attempts to Files (unsuccessful) - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80386-6 References: FAU_GEN.1.1.c, RHEL-07-030510, SV-86749r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessul Permission Changes to Files - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80388-2 References: FAU_GEN.1.1.c, RHEL-07-030530, SV-86753r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80390-8 References: FAU_GEN.1.1.c, RHEL-07-030550, SV-86757r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
| Rationale | The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
Record Unsuccessul Delete Attempts to Files - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Record Unauthorized Modification Attempts to Files - openat O_TRUNC
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Record Unsuccessul Permission Changes to Files - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Record Unauthorized Access Attempts to Files (unsuccessful) - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80387-4 References: FAU_GEN.1.1.c, RHEL-07-030520, SV-86751r3_rule, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessul Delete Attempts to Files - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c, 5.2.10, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Ensure auditd Collects System Administrator Actions
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27461-3 References: FAU_GEN.1.1.c, RHEL-07-030700, SV-86787r4_rule, 5.4.1.1, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all group and root.
If the -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
Record Events that Modify User/Group Information via open syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27301-1 References: FAU_GEN.1.1.c, 5.2.9, 5.4.1.1, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.3 |
| Description | The audit system already collects process information for all
users and root. If the -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Record Events that Modify User/Group Information via openat syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27097-5 References: 4.1.18, 5.4.1.1, 3.3.1, 3.4.3, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), AC-6, AU-1(b), AU-2(a), AU-2(c), AU-2(d), IR-5, Req-10.5.2 |
| Description | If the -e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation |
Record Events that Modify User/Group Information via open syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify |
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80431-0 References: FAU_GEN.1.1.c, RHEL-07-030873, SV-87823r3_rule, 5.2.5, 5.4.1.1, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-002130, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.5, SRG-OS-000004-GPOS-00004 |
| Description | If the -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modifyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify |
Record Access Events to Audit Log directory
| Rule ID | xccdf_org.ssgproject.content_rule_directory_access_var_log_audit |
| Result | fail |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | References: FAU_GEN.1.1.c |
| Description | The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trailIf the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file. |
| Rationale | Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.' |
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80430-2 References: FAU_GEN.1.1.c, RHEL-07-030874, SV-87825r4_rule, 5.2.5, 5.4.1.1, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-002130, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.5, SRG-OS-000004-GPOS-00004 |
| Description | If the -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27168-4 References: FAU_GEN.1.1.c, 5.2.7, 5.4.1.1, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5 |
| Description | If the -w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
| Rationale | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. |
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80432-8 References: FAU_GEN.1.1.c, RHEL-07-030872, SV-87819r3_rule, 5.2.5, 5.4.1.1, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-002130, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.5, SRG-OS-000004-GPOS-00004 |
| Description | If the -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80435-1 References: FAU_GEN.1.1.c, RHEL-07-030870, SV-86821r4_rule, 5.2.5, 5.4.1.1, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-002130, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221 |
| Description | If the -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80433-6 References: FAU_GEN.1.1.c, RHEL-07-030871, SV-87817r2_rule, 5.2.5, 5.4.1.1, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-002130, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.5, SRG-OS-000004-GPOS-00004 |
| Description | If the -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | unknown |
| Identifiers and References | |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | pass |
| Time | 2018-09-25T23:09:03 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27212-0 References: 4.1.3, 5.4.1.1, 3.3.1, CCI-001464, CCI-000130, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), AC-17(1), AU-14(1), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-10, IR-5, Req-10.3 |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Enable auditd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-27407-6 References: RHEL-07-030000, SV-86703r2_rule, 4.1.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000131, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, Req-10, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096 |
| Description | The $ sudo systemctl enable auditd.service |
| Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the |
Enable SLUB/SLAB allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | |
| Description | To enable poisoning of SLUB/SLAB objects,
add the argument GRUB_CMDLINE_LINUX="slub_debug=P" |
| Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | |
| Description | To enable poisoning of free pages,
add the argument GRUB_CMDLINE_LINUX="page_poison=1" |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Restrict exposed kernel pointers addresses access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | low |
| Identifiers and References | References: NT28(R23) |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.kptr_restrict=1If this is not the system default value, add the following line to /etc/sysctl.conf: kernel.kptr_restrict = 1 |
| Rationale | Exposing kernel pointers (through procfs or |
Disable kernel image loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.kexec_load_disabled=1If this is not the system default value, add the following line to /etc/sysctl.conf: kernel.kexec_load_disabled = 1 |
| Rationale | Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. |
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | |
| Description | To disable use of virtual syscalls,
add the argument GRUB_CMDLINE_LINUX="vsyscall=none" |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.yama.ptrace_scope=1If this is not the system default value, add the following line to /etc/sysctl.conf: kernel.yama.ptrace_scope = 1 |
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). |
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-27050-4 References: 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11 |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.dmesg_restrict=1If this is not the system default value, add the following line to /etc/sysctl.conf: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec | ||||||
| Result | fail | ||||||
| Time | 2018-09-25T23:09:04 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-80153-0 | ||||||
| Description | The | ||||||
| Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-80154-8 |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | pass |
| Time | 2018-09-25T23:09:04 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-80152-2 |
| Description | The |
| Rationale | The only legitimate location for device files is the |