Guide to the Secure Configuration of Oracle Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Only sidadm and orasid/oracle User Accounts Exist on Operating System
SAP tends to use the server or virtual machine exclusively. There should be only SAP system users <code>sidadm</code> and <code>orasid</code> that exist on the operating system (or virtual machine)...Rule Medium Severity -
Sudo - logfile value
Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log.Value -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. On Oracle Linux 7, <code>ignore_dot</code> is enabled by default This shoul...Rule Medium Severity -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXE...Rule High Severity -
Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout
The sudo <code>passwd_timeout</code> tag sets the amount of time sudo password prompt waits. On Oracle Linux 7, the default <code>passwd_timeout</code> value is 5 minutes. The passwd_timeout shoul...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag ...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>use_pty</code> tag exists...Rule Medium Severity -
Ensure Sudo Logfile Exists - sudo logfile
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.Rule Low Severity -
Ensure a dedicated group owns sudo
Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.