Oracle Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OL 8 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. ...Rule Medium Severity -
OL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
OL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
OL 8 must not have the telnet-server package installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule High Severity -
OL 8 must enable mitigations against processor-based vulnerabilities.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Low Severity -
OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
The CAN protocol is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without a host computer. Disabling CAN protects the sy...Rule Medium Severity -
OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system ag...Rule Medium Severity -
OL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...Rule Medium Severity -
The OL 8 file system automounter must be disabled unless required.
Verify the operating system disables the ability to automount devices. Determine if automounter service is active with the following command: $ sudo systemctl status autofs autofs.service ...Rule Medium Severity -
An OL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD ...Rule Medium Severity -
A firewall must be installed on OL 8.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
A firewall must be active on OL 8.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
OL 8 wireless network adapters must be disabled.
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and read, altered, or used to ...Rule Medium Severity -
OL 8 Bluetooth must be disabled.
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and read, altered, or used to ...Rule Medium Severity -
OL 8 must mount "/dev/shm" with the "nodev" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/dev/shm" with the "nosuid" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/dev/shm" with the "noexec" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/tmp" with the "nodev" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/tmp" with the "noexec" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/log" with the "nosuid" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/log/audit" with the "nodev" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/log/audit" with the "nosuid" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/log/audit" with the "noexec" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/tmp" with the "nodev" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/tmp" with the "nosuid" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must mount "/var/tmp" with the "noexec" option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
The OL 8 "fapolicy" module must be installed.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
The OL 8 "fapolicy" module must be enabled.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
OL 8 must have the USBGuard installed.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drive...Rule Medium Severity -
OL 8 must enable the USBGuard.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drive...Rule Medium Severity -
A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requi...Rule Medium Severity -
All OL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and read or altered. This requirement a...Rule Medium Severity -
OL 8 must force a frequent session key renegotiation for SSH connections to the server.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be co...Rule Medium Severity -
The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create th...Rule High Severity -
OL 8 must disable the debug-shell systemd service.
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assur...Rule Low Severity -
OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. There are notable differences between Internet Protocol version 4 (IPv4) and Inte...Rule Medium Severity -
OL 8 must not forward IPv4 source-routed packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
OL 8 must not forward IPv6 source-routed packets by default.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
OL 8 must not accept router advertisements on all IPv6 interfaces.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
OL 8 must not accept router advertisements on all IPv6 interfaces by default.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
OL 8 must use reverse path filtering on all IPv4 interfaces.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
The graphical display manager must not be installed on OL 8 unless approved.
Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities...Rule Medium Severity -
OL 8 network interfaces must not be in promiscuous mode.
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect in...Rule Medium Severity -
OL 8 must not have the "gssproxy" package installed if not required for operational support.
Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. W...Rule Medium Severity -
OL 8 library directories must have mode 755 or less permissive.
If OL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust chan...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.