These are the compliance rules for the Host compliance standards
The compliance rules for the Configuration Monitoring For Core Linux Packages standard follow.
Description: Monitors configuration files for OS booting/startup related packages that come with Linux.
Severity: Critical
Rationale: When file changes occur to the configuration files of booting/startup related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors configuration files for core OS packages that come with Linux. These packages include Kernel-related elements and core commands.
Severity: Critical
Rationale: When file changes occur to the configuration files of core OS related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the Configuration Monitoring For Exadata Compute Node standard follow.
Description: Monitors configuration files that are part of the Exadata compute node's Cell OS. This rule is monitoring configuration files that are related to basic cell operations.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities.
Description: Monitors configuration files that are part of the Exadata compute node's bundled Oracle Database. This rule is monitoring configuration files that are related to the Database, Clusterware, Storage Management, and Cluster Verification utility
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. These configuration files may impact the functioning of the bundled database on this Exadata compute node or the Database cluster this node belongs to.
Description: Monitors configuration files that are part of the Exadata compute node's LSI MegaRAID support. This rule is monitoring configuration files that are related to the MegaRAID Storage Manager and MegaRAID XTools.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. These configuration files may impact the functioning of the RAID storage functionality on this node.
Description: Monitors configuration files that are part of the Exadata compute node elements for changes to the files. This rule specifically is monitoring the configuration files for the various tools and systems that are part of the Compute Node used for management or diagnostics.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. These configuration files may impact the functioning of a management or monitoring tool that could be used to report other issues.
Description: Monitors configuration files that are part of the Exadata compute node elements for changes to the files. This rule specifically is monitoring the configuration files for the various tools and systems that are part of the Compute Node used for management or diagnostics that are specific for the given host. The facets being monitored include the hostname in the path and must be configured per host target association for the rule to function.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. These configuration files may impact the functioning of a management or monitoring tool that could be used to report other issues.
The compliance rules for the Configuration Monitoring For Exadata Compute Node Networking standard follow.
Description: Monitors configuration files that are part of the Exadata compute node's Cell OS. This rule is monitoring configuration files that are related to the Cell's networking configuration
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. Unintended modification of these configuration files can lead to components in an Exadata rack being unreachable.
Description: Monitors configuration files that are part of the Exadata compute node Infiniband support. This rule is monitoring Open Infiniband configuration files and Infiniband Diagnostics Tools.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. These configuration files may impact the functioning of the Exadata component communications.
The compliance rules for the Configuration Monitoring For Exadata Compute Node Time standard follow.
Description: Monitors configuration files that are part of the Exadata compute node's Cell OS. This rule is monitoring configuration files related to clock synchronization for the Cell.
Severity: Critical
Rationale: When a configuration file changes occurs, the modification can lead to serious service disruptions and or security vulnerabilities. Time synchronization is very important in complex systems. Clock out of sync issues caused by misconfigured network time daemon can lead to failures and system downtime.
The compliance rules for the Configuration Monitoring For Network Time Linux Packages standard follow.
Description: Monitors configuration files for network time related packages that come with Linux such as FTP. These packages ensure your clocks are in sync.
Severity: Critical
Rationale: When file changes occur to the configuration files of a network time related package on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities. Most distributed software programs depend on the host clocks being in sync.
The compliance rules for the Configuration Monitoring For Networking Linux Packages standard follow.
Description: Monitors configuration files for file transfer related packages that come with Linux such as FTP.
Severity: Critical
Rationale: When file changes occur to the configuration files of a file transfer related package on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors configuration files for networking related packages that come with Linux.
Severity: Critical
Rationale: When file changes occur to the configuration files of a networking related package on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the Configuration Monitoring For Security Linux Packages standard follow.
Description: Monitors configuration files for security related packages that come with Linux.
Severity: Critical
Rationale: When file changes occur to the configuration files of security related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the Configuration Monitoring For User Access Linux Packages standard follow.
Description: Monitors configuration files for user access packages that come with Linux. These packages include SUDO as well as user management and configuration packages.
Severity: Critical
Rationale: When file changes occur to the configuration files of user access related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the File Integrity Monitoring For Exadata Compute Node standard follow.
Description: Monitors executable files that are part of the Exadata compute node elements for changes to the files. Executable files include binary programs, Shell, Perl, and Python scripts. This rule only covers Exadata specific elements that are on top of any base operating system elements.
Severity: Critical
Rationale: When file changes occur to the executables of a production Exadata Compute Node outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors library files that are part of the Exadata compute node elements. Library files include .SO, Java JAR files, Python and Perl library modules. This rule only covers Exadata specific elements that are on top of any base operating system elements.
Severity: Critical
Rationale: When file changes occur to the libraries of a production Exadata Compute Node outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the File Integrity Monitoring For Important Linux Packages standard follow.
Description: Monitors executable files for core OS packages that come with Linux. Executable files include programs, Shell, Python, and Perl scripts. These packages include Kernel-related elements, Boot Loaders and core commands.
Severity: Critical
Rationale: When file changes occur to the executables of core OS related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors executable files for networking related packages that come with Linux. Executable files include programs, Shell, Python, and Perl scripts.
Severity: Critical
Rationale: When file changes occur to the executables of a networking related package on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors executable files for security related packages that come with Linux. Executable files include programs, Shell, Python, and Perl scripts.
Severity: Critical
Rationale: When file changes occur to the executables of security related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors executable files for user access packages that come with Linux. Executable files include programs, Shell, Python, and Perl scripts. These packages include SUDO as well as user management and configuration packages.
Severity: Critical
Rationale: When file changes occur to the executables of user access related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors library files for core OS packages that come with Linux. Library files include .SO, Java JAR files, Python and Perl library modules. These packages include Kernel-related elements, Boot Loaders and core commands.
Severity: Critical
Rationale: When file changes occur to the libraries of core OS packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors library files for networking related packages that come with Linux. Library files include .SO, Java JAR files, Python and Perl library modules.
Severity: Critical
Rationale: When file changes occur to the libraries of a networking related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors library files for security-related packages that come with Linux. Library files include .SO, Java JAR files, Python and Perl library modules.
Severity: Critical
Rationale: When file changes occur to the libraries of security related packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
Description: Monitors library files for user access packages that come with Linux. Library files include .SO, Java JAR files, Python and Perl library modules. These packages include SUDO as well as user management and configuration packages.
Severity: Critical
Rationale: When file changes occur to the libraries of user access packages on a Linux host outside of upgrade windows, the modification can lead to serious disruptions and or security vulnerabilities.
The compliance rules for the Secure Configuration For Host standard follow.
Description: Ensure that the file system on a Windows operating system uses NTFS
Severity: Critical
Rationale: Other than NTFS, file systems on Windows platforms may have serious security risks.
Description: Ensure that no unintended ports are left open
Severity: Critical
Rationale: Open ports may allow a malicious user to take over the host.
Description: Ensure that there are no insecure services (for example, telnet and ftp) running on the server
Severity: Warning
Rationale: Insecure services may allow a malicious user to take over the host.
Description: Ensure that the OS configuration parameter, which enables execution of code on the user stack, is not enabled
Severity: Warning
Rationale: Enabling code execution on the user stack may allow a malicious user to exploit stack buffer overflows. Overflows can cause portions of a system to fail, or even execute arbitrary code.