Skip to content

Guide to the Secure Configuration of Kylin Server 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w...
    Rule Medium Severity
  • Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

    To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sy...
    Rule Medium Severity
  • Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

    To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ne...
    Rule Medium Severity
  • Configure Kernel Parameter for Accepting Secure Redirects By Default

    To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysct...
    Rule Medium Severity
  • Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl ...
    Rule Medium Severity
  • Network Parameters for Hosts Only

    If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network ...
    Group
  • Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w n...
    Rule Medium Severity
  • Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

    To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl ...
    Rule Medium Severity
  • Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_fo...
    Rule Medium Severity
  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...
    Group
  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...
    Group
  • Ensure All Files Are Owned by a Group

    If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, tho...
    Rule Medium Severity
  • Ensure All Files Are Owned by a User

    If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted...
    Rule Medium Severity
  • Verify Permissions on Files with Local Account Information and Credentials

    The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>gro...
    Group
  • Verify Group Who Owns group File

    To properly set the group owner of /etc/group, run the command:
    $ sudo chgrp root /etc/group
    Rule Medium Severity
  • Verify Group Who Owns passwd File

    To properly set the group owner of /etc/passwd, run the command:
    $ sudo chgrp root /etc/passwd
    Rule Medium Severity
  • Verify Group Who Owns shadow File

    To properly set the group owner of /etc/shadow, run the command:
    $ sudo chgrp root /etc/shadow
    Rule Medium Severity
  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command:
    $ sudo chown root /etc/group 
    Rule Medium Severity
  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command:
    $ sudo chown root /etc/passwd 
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Ensure SELinux is Not Disabled

    The SELinux state should be set to <code>enforcing</code> or <code>permissive</code> at system boot time. In the file <code>/etc/selinux/config</co...
    Rule High Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Kylin Server 10 i...
    Group
  • Base Services

    This section addresses the base services that are installed on a Kylin Server 10 default installation which are not covered in other sections. Some...
    Group
  • Install the psacct package

    The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...
    Rule Low Severity
  • Enable Process Accounting (psacct)

    The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...
    Rule Low Severity
  • Cron and At Daemons

    The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...
    Group
  • Restrict at and cron to Authorized Users if Necessary

    The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...
    Group
  • Ensure that /etc/cron.allow exists

    The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.
    Rule Medium Severity
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Postfix Root Mail Alias

    Specify an email address (string) for a root mail alias.
    Value
  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....
    Rule Medium Severity
  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
  • Uninstall nfs-utils Package

    The nfs-utils package can be removed with the following command:
    $ sudo dnf remove nfs-utils
    Rule Low Severity
  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...
    Rule Unknown Severity
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command:
     $ sudo dnf remove tftp-server
    Rule High Severity
  • Enable the NTP Daemon

    Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If ...
    Rule Medium Severity
  • Chrony Configure Pool and Server

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Uninstall rsync Package

    The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the foll...
    Rule Medium Severity
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group
  • Remove NIS Client

    The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...
    Rule Unknown Severity
  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules