|
 |
2b7fd2 |
commit 470fb4275710c828f3cdd91ce65c69f78e2e6451
|
|
|
2b7fd2 |
Author: Gabriel Becker <ggasparb@redhat.com>
|
|
|
2b7fd2 |
Date: Fri Apr 5 16:28:44 2019 +0200
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
Mark rules not applicable for container as machine only.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml
|
|
|
2b7fd2 |
index 6acdd02..79d7023 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml
|
|
|
2b7fd2 |
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml
|
|
|
2b7fd2 |
@@ -10,3 +10,5 @@ description: |-
|
|
|
2b7fd2 |
controls and perform some logging. It has been largely obsoleted by other
|
|
|
2b7fd2 |
features, and it is not installed by default. The older Inetd service
|
|
|
2b7fd2 |
is not even available as part of {{{ full_name }}}.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule
|
|
|
2b7fd2 |
index 5c58455..815097b 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule
|
|
|
2b7fd2 |
@@ -37,5 +37,3 @@ ocil: |-
|
|
|
2b7fd2 |
To verify the operating system has the packages required for multifactor
|
|
|
2b7fd2 |
authentication installed, run the following command:
|
|
|
2b7fd2 |
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule
|
|
|
2b7fd2 |
index e4c0870..5b01b62 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule
|
|
|
2b7fd2 |
@@ -41,5 +41,3 @@ references:
|
|
|
2b7fd2 |
ocil_clause: 'non-exempt accounts are not using CAC authentication'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n\n- SIPRNET systems
\n- Standalone systems
\n- Application accounts
\n- Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
\n- Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
\n- Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
\n "
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule
|
|
|
2b7fd2 |
index c68db6d..9af1126 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule
|
|
|
2b7fd2 |
@@ -42,5 +42,3 @@ ocil: |-
|
|
|
2b7fd2 |
cert_policy = ca, ocsp_on, signature;
|
|
|
2b7fd2 |
cert_policy = ca, ocsp_on, signature;
|
|
|
2b7fd2 |
cert_policy = ca, ocsp_on, signature;
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule
|
|
|
2b7fd2 |
index 98fb3f8..b3bba5b 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule
|
|
|
2b7fd2 |
@@ -58,4 +58,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule
|
|
|
2b7fd2 |
index 77be3c4..c3e5036 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule
|
|
|
2b7fd2 |
index e530ea9..76bb69d 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule
|
|
|
2b7fd2 |
index 2410fc9..502e3a0 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule
|
|
|
2b7fd2 |
index 4f0c7e7..d980704 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule
|
|
|
2b7fd2 |
index 12d51f8..99d2083 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule
|
|
|
2b7fd2 |
index b0ff227..bda4448 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule
|
|
|
2b7fd2 |
@@ -62,4 +62,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule
|
|
|
2b7fd2 |
index 4e19015..e5ba297 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule
|
|
|
2b7fd2 |
index 39fb8bd..d88a48f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule
|
|
|
2b7fd2 |
index 52d0c85..0b0100e 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule
|
|
|
2b7fd2 |
@@ -62,4 +62,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule
|
|
|
2b7fd2 |
index f7ffae4..07222b0 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule
|
|
|
2b7fd2 |
index 3ff38cf..f27667d 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule
|
|
|
2b7fd2 |
@@ -61,4 +61,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule
|
|
|
2b7fd2 |
index da633bd..ccc90e8 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule
|
|
|
2b7fd2 |
index f2c7891..8e40014 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule
|
|
|
2b7fd2 |
@@ -47,5 +47,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule
|
|
|
2b7fd2 |
index ea42555..2a97b84 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule
|
|
|
2b7fd2 |
@@ -46,5 +46,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule
|
|
|
2b7fd2 |
index dd62afa..c2aedce 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule
|
|
|
2b7fd2 |
@@ -47,5 +47,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule
|
|
|
2b7fd2 |
index 2804b8d..247453e 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule
|
|
|
2b7fd2 |
@@ -47,5 +47,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule
|
|
|
2b7fd2 |
index d110f8a..916af4c 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule
|
|
|
2b7fd2 |
@@ -66,4 +66,3 @@ warnings:
|
|
|
2b7fd2 |
<tt>audit_rules_file_deletion_events_unlinkat</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule
|
|
|
2b7fd2 |
index 51b1d54..80eb011 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="rename") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule
|
|
|
2b7fd2 |
index 96133fc..b219eda 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule
|
|
|
2b7fd2 |
index 21abd3a..37e7fb2 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule
|
|
|
2b7fd2 |
index 25c2ec2..7c392bc 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule
|
|
|
2b7fd2 |
index 390a4e5..793f9b0 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule
|
|
|
2b7fd2 |
index 370fbab..58e81a1 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule
|
|
|
2b7fd2 |
@@ -39,4 +39,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule
|
|
|
2b7fd2 |
index d86680d..992bce9 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule
|
|
|
2b7fd2 |
@@ -37,4 +37,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule
|
|
|
2b7fd2 |
index 01de6c8..7631ecd 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule
|
|
|
2b7fd2 |
@@ -38,4 +38,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule
|
|
|
2b7fd2 |
index 9610d30..3c4e05f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule
|
|
|
2b7fd2 |
@@ -41,5 +41,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule
|
|
|
2b7fd2 |
index bd266b8..8ce37aa 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule
|
|
|
2b7fd2 |
@@ -41,5 +41,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule
|
|
|
2b7fd2 |
index b913129..7ab7824 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule
|
|
|
2b7fd2 |
@@ -41,5 +41,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule
|
|
|
2b7fd2 |
index 11d187d..20edbdf 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule
|
|
|
2b7fd2 |
@@ -54,4 +54,3 @@ warnings:
|
|
|
2b7fd2 |
<tt>audit_rules_login_events_lastlog</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule
|
|
|
2b7fd2 |
index b730fdd..78f9d91 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule
|
|
|
2b7fd2 |
@@ -43,5 +43,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/var/log/faillock"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule
|
|
|
2b7fd2 |
index 83c5cb7..6c1919d 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule
|
|
|
2b7fd2 |
@@ -43,5 +43,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/var/log/lastlog"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule
|
|
|
2b7fd2 |
index 9a9770a..b0eed40 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule
|
|
|
2b7fd2 |
@@ -43,5 +43,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/var/log/tallylog"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule
|
|
|
2b7fd2 |
index 3815429..b6ec543 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule
|
|
|
2b7fd2 |
@@ -82,4 +82,3 @@ warnings:
|
|
|
2b7fd2 |
<tt>audit_rules_privileged_commands_passwd</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule
|
|
|
2b7fd2 |
index 9d6c828..5d0478a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule
|
|
|
2b7fd2 |
index ac5c38a..e89b93f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule
|
|
|
2b7fd2 |
index 03bcb6c..dfffee9 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule
|
|
|
2b7fd2 |
index 5c8c407..7d77eb9 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule
|
|
|
2b7fd2 |
index b8f8e5c..e97e83c 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule
|
|
|
2b7fd2 |
index fda2e0c..6398885 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule
|
|
|
2b7fd2 |
index cb41772..fc955cd 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule
|
|
|
2b7fd2 |
index 6f3f787..1f55e04 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule
|
|
|
2b7fd2 |
index d6f4eeb..91a9d64 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule
|
|
|
2b7fd2 |
index 21e0a11..293a033 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule
|
|
|
2b7fd2 |
@@ -47,4 +47,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule
|
|
|
2b7fd2 |
index fa7ff2b..4bb59ae 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule
|
|
|
2b7fd2 |
index d791805..7c2e986 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule
|
|
|
2b7fd2 |
index e8b3585..4103c8a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule
|
|
|
2b7fd2 |
index 8984a84..6f2fd62 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule
|
|
|
2b7fd2 |
index 5b636ea..db6d4db 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule
|
|
|
2b7fd2 |
index 205bf97..743ea9f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule
|
|
|
2b7fd2 |
index 91f31f3..97c3683 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule
|
|
|
2b7fd2 |
@@ -50,4 +50,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
|
|
|
2b7fd2 |
It should return a relevant line in the audit rules.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule
|
|
|
2b7fd2 |
index 2c42c74..991abcf 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule
|
|
|
2b7fd2 |
@@ -37,5 +37,3 @@ references:
|
|
|
2b7fd2 |
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e)
|
|
|
2b7fd2 |
nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5
|
|
|
2b7fd2 |
pcidss: Req-10.5.2
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule
|
|
|
2b7fd2 |
index 5952dbb..0636d42 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule
|
|
|
2b7fd2 |
@@ -48,4 +48,3 @@ ocil: |-
|
|
|
2b7fd2 |
configuration, a line should be returned (including
|
|
|
2b7fd2 |
<tt>perm=wa</tt> indicating permissions that are watched).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule
|
|
|
2b7fd2 |
index 28c64ca..2ec5b8d 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule
|
|
|
2b7fd2 |
@@ -51,4 +51,3 @@ ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for all media exportation events, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep syscall | grep mount
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule
|
|
|
2b7fd2 |
index 55e1893..9ee65de 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule
|
|
|
2b7fd2 |
@@ -56,4 +56,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for network configuration changes, a line should be returned for
|
|
|
2b7fd2 |
each file specified (and <tt>perm=wa</tt> should be indicated for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule
|
|
|
2b7fd2 |
index 017a053..e63f61a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule
|
|
|
2b7fd2 |
@@ -41,5 +41,3 @@ references:
|
|
|
2b7fd2 |
nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
2b7fd2 |
ospp@rhel7: FAU_GEN.1.1.c
|
|
|
2b7fd2 |
pcidss: Req-10.2.3
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule
|
|
|
2b7fd2 |
index 3be1932..15c33a2 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule
|
|
|
2b7fd2 |
@@ -47,5 +47,3 @@ ocil_clause: 'there is not output'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule
|
|
|
2b7fd2 |
index d40c9df..7be7503 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule
|
|
|
2b7fd2 |
@@ -47,4 +47,3 @@ ocil: |-
|
|
|
2b7fd2 |
The output should contain:
|
|
|
2b7fd2 |
-f 2
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule
|
|
|
2b7fd2 |
index 2838470..2278906 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule
|
|
|
2b7fd2 |
@@ -69,4 +69,3 @@ warnings:
|
|
|
2b7fd2 |
<tt>audit_rules_usergroup_modification_passwd</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule
|
|
|
2b7fd2 |
index 143e63b..1a5251f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule
|
|
|
2b7fd2 |
@@ -53,4 +53,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for account changes, lines should be returned for
|
|
|
2b7fd2 |
each file specified (and with <tt>perm=wa</tt> for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule
|
|
|
2b7fd2 |
index 5e14989..0d54b2f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule
|
|
|
2b7fd2 |
@@ -53,4 +53,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for account changes, lines should be returned for
|
|
|
2b7fd2 |
each file specified (and with <tt>perm=wa</tt> for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule
|
|
|
2b7fd2 |
index 9e7ce3d..0567184 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule
|
|
|
2b7fd2 |
@@ -53,4 +53,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for account changes, lines should be returned for
|
|
|
2b7fd2 |
each file specified (and with <tt>perm=wa</tt> for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule
|
|
|
2b7fd2 |
index 76bce57..1c97a40 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule
|
|
|
2b7fd2 |
@@ -53,4 +53,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for account changes, lines should be returned for
|
|
|
2b7fd2 |
each file specified (and with <tt>perm=wa</tt> for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule
|
|
|
2b7fd2 |
index 74819f5..4076bac 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule
|
|
|
2b7fd2 |
@@ -53,4 +53,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is configured to watch for account changes, lines should be returned for
|
|
|
2b7fd2 |
each file specified (and with <tt>perm=wa</tt> for each).
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule
|
|
|
2b7fd2 |
index 9dc2ceb..6e86964 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule
|
|
|
2b7fd2 |
@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule
|
|
|
2b7fd2 |
index 436f5f0..66e7f7c 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule
|
|
|
2b7fd2 |
@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule
|
|
|
2b7fd2 |
index 22ec976..654fd13 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule
|
|
|
2b7fd2 |
@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule
|
|
|
2b7fd2 |
index 0572156..4c0ca3c 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule
|
|
|
2b7fd2 |
@@ -58,4 +58,3 @@ ocil: |-
|
|
|
2b7fd2 |
If the system is 64-bit only, this is not applicable
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_audit_syscall(syscall="stime") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule
|
|
|
2b7fd2 |
index 2fb8f7d..d4c02a2 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule
|
|
|
2b7fd2 |
@@ -51,4 +51,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo auditctl -l | grep "watch=/etc/localtime"
|
|
|
2b7fd2 |
If the system is configured to audit this activity, it will return a line.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule
|
|
|
2b7fd2 |
index ea42793..1e2437a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule
|
|
|
2b7fd2 |
@@ -70,4 +70,3 @@ warnings:
|
|
|
2b7fd2 |
<tt>audit_rules_unsuccessful_file_modification_creat</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule
|
|
|
2b7fd2 |
index a328ff9..bd91a9f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule
|
|
|
2b7fd2 |
index 6229398..8fadeaa 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule
|
|
|
2b7fd2 |
index 13f12fe..656de99 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule
|
|
|
2b7fd2 |
index ce4193a..30ee748 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule
|
|
|
2b7fd2 |
index 6f3c38a..532f355 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule
|
|
|
2b7fd2 |
index f6e0263..d7d37ac 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule
|
|
|
2b7fd2 |
@@ -55,4 +55,3 @@ warnings:
|
|
|
2b7fd2 |
have been placed independent of other system calls. Grouping these system
|
|
|
2b7fd2 |
calls with others as identifying earlier in this guide is more efficient.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
|
|
|
2b7fd2 |
index acf6fc6..b892c5a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule
|
|
|
2b7fd2 |
@@ -31,3 +31,5 @@ ocil: |-
|
|
|
2b7fd2 |
/var/log/audit directory, run the following command:
|
|
|
2b7fd2 |
$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
|
|
|
2b7fd2 |
If the system is configured to audit this activity, it will return a line.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule
|
|
|
2b7fd2 |
index 14d41d0..543f887 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule
|
|
|
2b7fd2 |
@@ -34,4 +34,3 @@ ocil: |-
|
|
|
2b7fd2 |
{{{ describe_file_owner(file="/var/log/audit", owner="root") }}}
|
|
|
2b7fd2 |
{{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule
|
|
|
2b7fd2 |
index 319b1bb..39ddc5b 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule
|
|
|
2b7fd2 |
@@ -36,4 +36,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo ls -l /var/log/audit
|
|
|
2b7fd2 |
Audit logs must be mode 0640 or less permissive.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule
|
|
|
2b7fd2 |
index 94af473..c5cf669 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule
|
|
|
2b7fd2 |
@@ -38,4 +38,3 @@ ocil: |-
|
|
|
2b7fd2 |
is an IP address or hostname:
|
|
|
2b7fd2 |
remote_server = REMOTE_SYSTEM
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule
|
|
|
2b7fd2 |
index 502843d..e4e96d4 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ ocil: |-
|
|
|
2b7fd2 |
Acceptable values also include <tt>syslog</tt> and
|
|
|
2b7fd2 |
<tt>halt</tt>.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule
|
|
|
2b7fd2 |
index 07d36df..94292ff 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule
|
|
|
2b7fd2 |
@@ -34,5 +34,3 @@ ocil: |-
|
|
|
2b7fd2 |
$ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
|
|
|
2b7fd2 |
The output should return the following:
|
|
|
2b7fd2 |
enable_krb5 = yes
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule
|
|
|
2b7fd2 |
index 7fc5566..79b8909 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ ocil: |-
|
|
|
2b7fd2 |
Acceptable values also include <tt>syslog</tt> and
|
|
|
2b7fd2 |
<tt>halt</tt>.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule
|
|
|
2b7fd2 |
index c2891ab..75edf6a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule
|
|
|
2b7fd2 |
@@ -40,5 +40,3 @@ ocil: |-
|
|
|
2b7fd2 |
To verify the audispd's syslog plugin is active, run the following command:
|
|
|
2b7fd2 |
$ sudo grep active /etc/audisp/plugins.d/syslog.conf
|
|
|
2b7fd2 |
If the plugin is active, the output will show <tt>yes</tt>.
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule
|
|
|
2b7fd2 |
index cabdc03..3b45bc2 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule
|
|
|
2b7fd2 |
@@ -44,4 +44,3 @@ ocil: |-
|
|
|
2b7fd2 |
account when it needs to notify an administrator:
|
|
|
2b7fd2 |
action_mail_acct = root
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule
|
|
|
2b7fd2 |
index 7bad632..46102a1 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule
|
|
|
2b7fd2 |
@@ -49,4 +49,3 @@ ocil: |-
|
|
|
2b7fd2 |
or halt when disk space has run low:
|
|
|
2b7fd2 |
admin_space_left_action single
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule
|
|
|
2b7fd2 |
index 5475a85..a070c4a 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule
|
|
|
2b7fd2 |
@@ -38,4 +38,3 @@ ocil: |-
|
|
|
2b7fd2 |
Acceptable values are <tt>DATA</tt>, and <tt>SYNC</tt>. The setting is
|
|
|
2b7fd2 |
case-insensitive.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule
|
|
|
2b7fd2 |
index 06ec11d..b123481 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule
|
|
|
2b7fd2 |
@@ -41,4 +41,3 @@ ocil: |-
|
|
|
2b7fd2 |
<tt>$ sudo grep max_log_file /etc/audit/auditd.conf</tt>
|
|
|
2b7fd2 |
max_log_file = 6
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule
|
|
|
2b7fd2 |
index 609ca46..1c90f9e 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule
|
|
|
2b7fd2 |
@@ -52,4 +52,3 @@ ocil: |-
|
|
|
2b7fd2 |
<tt>$ sudo grep max_log_file_action /etc/audit/auditd.conf</tt>
|
|
|
2b7fd2 |
max_log_file_action <tt>rotate</tt>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule
|
|
|
2b7fd2 |
index 5b1debc..619b19e 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule
|
|
|
2b7fd2 |
@@ -40,4 +40,3 @@ ocil: |-
|
|
|
2b7fd2 |
<tt>$ sudo grep num_logs /etc/audit/auditd.conf</tt>
|
|
|
2b7fd2 |
num_logs = 5
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule
|
|
|
2b7fd2 |
index d86ae02..c6fd4ea 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule
|
|
|
2b7fd2 |
@@ -40,4 +40,3 @@ ocil: |-
|
|
|
2b7fd2 |
determine if the system is configured correctly:
|
|
|
2b7fd2 |
space_left SIZE_in_MB
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule
|
|
|
2b7fd2 |
index 7b4360f..65523e0 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule
|
|
|
2b7fd2 |
@@ -58,4 +58,3 @@ ocil: |-
|
|
|
2b7fd2 |
space_left_action
|
|
|
2b7fd2 |
Acceptable values are <tt>email</tt>, <tt>suspend</tt>, <tt>single</tt>, and <tt>halt</tt>.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_argument.rule
|
|
|
2b7fd2 |
index 29c451c..68d4f49 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/grub2_audit_argument.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/grub2_audit_argument.rule
|
|
|
2b7fd2 |
@@ -57,5 +57,3 @@ warnings:
|
|
|
2b7fd2 |
On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
2b7fd2 |
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
|
|
|
2b7fd2 |
index 361a6b9..82cd257 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
|
|
|
2b7fd2 |
@@ -49,3 +49,5 @@ warnings:
|
|
|
2b7fd2 |
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
2b7fd2 |
{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled.rule b/linux_os/guide/system/auditing/service_auditd_enabled.rule
|
|
|
2b7fd2 |
index ce32390..058a689 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/auditing/service_auditd_enabled.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/auditing/service_auditd_enabled.rule
|
|
|
2b7fd2 |
@@ -42,4 +42,3 @@ references:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
ocil: '{{{ ocil_service_enabled(service="auditd") }}}'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
-platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule
|
|
|
2b7fd2 |
index 492d2e7..eb56d1c 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule
|
|
|
2b7fd2 |
@@ -17,3 +17,5 @@ references:
|
|
|
2b7fd2 |
anssi: NT28(R23)
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
|
|
|
2b7fd2 |
index 8773f24..d9d53c2 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
|
|
|
2b7fd2 |
@@ -47,3 +47,5 @@ warnings:
|
|
|
2b7fd2 |
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
2b7fd2 |
{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
|
|
|
2b7fd2 |
index 9056613..b72c6b5 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
|
|
|
2b7fd2 |
@@ -50,3 +50,5 @@ warnings:
|
|
|
2b7fd2 |
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
2b7fd2 |
{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
|
|
|
2b7fd2 |
index ea982ee..970025d 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
|
|
|
2b7fd2 |
@@ -50,3 +50,5 @@ warnings:
|
|
|
2b7fd2 |
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
2b7fd2 |
{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
|
|
|
2b7fd2 |
index a8fc871..463cda6 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
|
|
|
2b7fd2 |
@@ -15,3 +15,4 @@ severity: unknown
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
|
|
|
2b7fd2 |
index 67b7ff8..44febe9 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
|
|
|
2b7fd2 |
@@ -17,3 +17,4 @@ severity: unknown
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles.rule b/linux_os/guide/system/selinux/selinux_user_login_roles.rule
|
|
|
2b7fd2 |
index 47690e0..65cbf1f 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/selinux/selinux_user_login_roles.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/selinux/selinux_user_login_roles.rule
|
|
|
2b7fd2 |
@@ -54,3 +54,5 @@ ocil: |-
|
|
|
2b7fd2 |
All authorized non-administrative
|
|
|
2b7fd2 |
users must be mapped to the <tt>user_u</tt> role or the appropriate domain
|
|
|
2b7fd2 |
(user_t).
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml
|
|
|
2b7fd2 |
index 75916e9..e9ff7cb 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/software/integrity/fips/group.yml
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/software/integrity/fips/group.yml
|
|
|
2b7fd2 |
@@ -14,3 +14,5 @@ description: |-
|
|
|
2b7fd2 |
Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule
|
|
|
2b7fd2 |
index c1223d6..4f70107 100644
|
|
|
2b7fd2 |
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule
|
|
|
2b7fd2 |
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule
|
|
|
2b7fd2 |
@@ -60,5 +60,3 @@ warnings:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}
|
|
|
2b7fd2 |
for a list of FIPS certified vendors.
|
|
|
2b7fd2 |
-
|
|
|
2b7fd2 |
-platform: machine
|