Skip to content
Log In

Guide to the Secure Configuration of Alibaba Cloud Linux 2

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify firewalld Enabled

    The firewalld service can be enabled with the following command: 
    $ sudo systemctl enable firewalld.service
    Rule Medium Severity
    Show

  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the <code>/etc/firewalld/services</code> and <code>...
    Group
    Show

  • Ensure firewall rules exist for all open ports

    Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
    Rule Medium Severity
    Show

  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.
    Group
    Show

  • Set Default firewalld Zone for Incoming Packets

    To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in <code>/etc/firewalld/firewalld.conf</code> to...
    Rule Medium Severity
    Show

  • IPSec Support

    Support for Internet Protocol Security (IPsec) is provided with Libreswan.
    Group
    Show

  • Install libreswan Package

    The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The <code>libreswan</code> package can be installed with the...
    Rule Medium Severity
    Show

  • Install iptables Package

    The iptables package can be installed with the following command: 
    $ sudo yum install iptables
    Rule Medium Severity
    Show

  • Inspect and Activate Default Rules

    View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...
    Group
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules