Guide to the Secure Configuration of Kylin Server 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...Group -
Screensaver Inactivity timeout
Choose allowed duration (in seconds) of inactive graphical sessionsValue -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...Rule Medium Severity -
Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <code>picture-uri</code> to <code>string ''</code> in <code>/etc...Rule Medium Severity -
GNOME System Settings
GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform a...Group -
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
By default, <code>GNOME</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the...Rule High Severity -
Ensure invoking users password for privilege escalation when using sudo
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validate...Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Install binutils Package
Thebinutilspackage can be installed with the following command:$ sudo dnf install binutils
Rule Medium Severity -
Updating Software
The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Ensure gpgcheck Enabled In Main dnf Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check pack...Rule High Severity -
Ensure gpgcheck Enabled for All dnf Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Warning Banners for System Accesses
Each system should expose as little information about itself as possible. <br> <br> System banners, which are typically displayed just befor...Group -
Login Banner Verbiage
Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters ...Value -
MotD Banner Verbiage
Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters ...Value -
Modify the System Login Banner
To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or...Rule Medium Severity -
Modify the System Message of the Day Banner
To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Password Hashing algorithm for pam_unix.so
Specify the system default encryption algorithm for encrypting passwords. Defines the hashing algorithm to be used in pam_unix.so.Value -
remember
The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from...Value -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
fail_deny
Number of failed login attempts before account lockoutValue -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to conf...Group -
dcredit
Minimum number of digits in passwordValue -
lcredit
Minimum number of lower case in passwordValue -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
ocredit
Minimum number of other (special characters) in passwordValue -
retry
Number of retry attempts before erroring outValue -
ucredit
Minimum number of upper case in passwordValue -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforce for root User
The pam_pwquality module's <code>enforce_for_root</code> parameter controls requirements for enforcing password complexity for the root user. Enabl...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/sys...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> ...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.