Oracle Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000373-GPOS-00156
Group -
SRG-OS-000375-GPOS-00160
Group -
OL 8 must have the package required for multifactor authentication installed.
Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials...Rule Low Severity -
SRG-OS-000375-GPOS-00160
Group -
OL 8 must implement certificate status checking for multifactor authentication.
Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials...Rule Medium Severity -
SRG-OS-000376-GPOS-00161
Group -
SRG-OS-000433-GPOS-00192
Group -
SRG-OS-000134-GPOS-00068
Group -
SRG-OS-000134-GPOS-00068
Group -
OL 8 must disable virtual syscalls.
Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
OL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory inclu...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000433-GPOS-00193
Group -
SRG-OS-000437-GPOS-00194
Group -
YUM must remove all software components after updated versions have been installed on OL 8.
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...Rule Low Severity -
SRG-OS-000445-GPOS-00199
Group -
SRG-OS-000480-GPOS-00227
Group -
There must be no "shosts.equiv" files on the OL 8 operating system.
The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it ...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
There must be no ".shosts" files on the OL 8 operating system.
The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must enable the hardware random number generator entropy gatherer service.
The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associ...Rule Low Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The OL 8 SSH public host key files must have mode "0644" or less permissive.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must use a separate file system for "/var".
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Low Severity -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must use a separate file system for "/var/log".
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Low Severity -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must use a separate file system for "/tmp".
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000109-GPOS-00056
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.