Guide to the Secure Configuration of Alibaba Cloud Linux 2
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: <pre>$ sudo...Rule Medium Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...Group -
fail_deny
Number of failed login attempts before account lockoutValue -
faillock directory
The directory where the user files with the failure records are keptValue -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
tally2_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
pwhistory_remember
Prevent password re-use using password history lookupValue -
tally2
Number of failed login attemptsValue -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Account Lockouts Must Persist
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
dcredit
Minimum number of digits in passwordValue -
lcredit
Minimum number of lower case in passwordValue -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be requ...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group ID
Change the group name or delete groups, so each has a unique id.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group Names
Change the group name or delete groups, so each has a unique name.Rule Medium Severity -
number of days after a password expires until the account is permanently disabled
The number of days to wait after a password expires, until the account will be permanently disabled.Value -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre> If a usernam...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_WARN_AGE <...Rule Medium Severity -
Use Centralized and Automated Authentication
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user managemen...Rule Medium Severity -
maximum password age
Maximum age of password in daysValue -
minimum password length
Minimum number of characters in passwordValue -
warning days before password expires
The number of days' warning given before a password expires.Value -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be investigated. The a...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. <br> If the account is asso...Rule High Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Ensure that System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be grant...Rule Medium Severity -
Restrict Serial Port Root Logins
To restrict root logins on serial ports, ensure lines of this form do not appear in/etc/securetty:ttyS0 ttyS1
Rule Medium Severity -
Restrict Virtual Console Root Logins
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in/etc/securetty:vc/1 vc/2 vc/3 vc/4
Rule Medium Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissi...Group -
Maximum login attempts delay
Maximum time in seconds between fail login attempts before re-prompting.Value -
Maximum concurrent login sessions
Maximum number of concurrent sessions by a userValue -
Account Inactivity Timeout (seconds)
In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does...Value -
Configure Polyinstantiation of /tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...Rule Low Severity -
Configure Polyinstantiation of /var/tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.