2.3 Allowlist Authorized Software and Report Violations

Information

At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet allowlisted. This can be used to update the allowlist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed applications are actually prevented from executing.

Rationale:

Impact:

As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries.

Solution

# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=OFF

# mkdir -p /var/log/syslog
# touch /var/log/syslog/kernel.log
# print 'kern.info /var/log/syslog/kernel.log rotate 1m files 24 compress' >> /etc/syslog.conf
# print 'kern.info @rsyslog.domain' >> /etc/syslog.conf
# refresh -s syslogd || startsrc -s syslogd

Default Value:

TE=OFF

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), 800-53|CM-10, CSCv7|2.7

Plugin: Unix

Control ID: 7b9dd0c2523783c3ee9f4634d6de983cca6660b9e559f11e2109d0415fcc1b28