diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml index 1cb90f75c145..f1760e2042b1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml @@ -50,3 +50,12 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 pcidss: Req-10.2.3 srg: SRG-APP-000505-CTR-001285 + +ocil_clause: 'the system is not configured to audit attempts to alter process and session initiation information' + +ocil: |- + To determine if the system is configured to audit attempts to alter + process and session initiation information, run the following command: +
auditctl -l | grep -E '(/var/run/utmp|/var/log/btmp|/var/log/wtmp)'+ If the system is configured to watch for these events, lines should be returned for + each file specified (and with -p wa for each). diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml index dec1be4ebf29..5a15ca699a05 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml @@ -104,3 +104,17 @@ references: nist: CM-6(a),AU-8(1)(a),AU-8(2),AU-12(1) nist-csf: PR.PT-1 pcidss: Req-10.4.3 + +ocil_clause: 'no additional NTP servers are specified' + +ocil: |- + To verify that additional NTP servers are configured for time synchronization, + open the following file: +
{{{ chrony_conf_path }}} in the case the system in question is
+ configured to use the chronyd as the NTP daemon (default setting)/etc/ntp.confin the case the system in question is configured + to use the ntpd as the NTP daemon
server ntpserverdiff --git a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml index c187957e630f..22e92b957de6 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml @@ -37,3 +37,16 @@ references: nist: SC-13,CM-6(a) nist-csf: PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1 pcidss: Req-11.5 + +ocil_clause: 'prelinking is enabled' + +ocil: |- + To determine if prelinking is disabled, first check whether the + prelink package is installed by running the following command: +
$ rpm -q prelink+ If the package is not installed, prelinking is not enabled and the rule is + satisfied. If the prelink package is installed, verify that prelinking + is disabled by running the following command: +
$ grep PRELINKING /etc/sysconfig/prelink+ If prelinking is disabled, the output should contain the following line: +
PRELINKING=no