Guide to the Secure Configuration of Oracle Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo yum erase ypserv
Rule High Severity -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap-clients</code> package can be removed wit...Rule Low Severity -
Enable the LDAP Client For Use in Authconfig
To determine if LDAP is being used for authentication, use the following command: <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre> <br> <br> If <code>USELDAPAUTH=yes<...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo yum erase nfs-utils
Rule Low Severity -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...Rule Low Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...Group -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Specify a Remote NTP Server
Depending on specific functional requirements of a concrete production environment, the Oracle Linux 7 system can be configured to utilize the services of the <code>chronyd</code> NTP daemon (the d...Rule Medium Severity -
Verify Group Who Owns /etc/chrony.keys File
To properly set the group owner of/etc/chrony.keys, run the command:$ sudo chgrp chrony /etc/chrony.keys
Rule Medium Severity -
Verify User Who Owns /etc/chrony.keys File
To properly set the owner of/etc/chrony.keys, run the command:$ sudo chown root /etc/chrony.keys
Rule Medium Severity -
Verify Permissions On /etc/chrony.keys File
To properly set the permissions of/etc/chrony.keys, run the command:$ sudo chmod 0640 /etc/chrony.keys
Rule Medium Severity -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo yum erase rsh-server
Rule High Severity -
Enable GSSAPI Authentication
Sites setup to use Kerberos or other GSSAPI Authenticaion require setting sshd to accept this authentication. To enable GSSAPI authentication, add or correct the following line in <code>/etc/ssh/...Rule Medium Severity -
Enable SSH Print Last Log
Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date and time of the last login. The appropriate configu...Rule Medium Severity -
Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP...Group -
Remove the OpenSSH Server Package
Theopenssh-serverpackage should be removed. Theopenssh-serverpackage can be removed with the following command:$ sudo yum erase openssh-server
Rule Medium Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. Thesshdservice can be enabled with the following command:$ sudo systemctl enable sshd.service
Rule Medium Severity -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...Rule Medium Severity -
Disable GSSAPI Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows authentications based on GSSAPI. The appropriate c...Rule Medium Severity -
Disable X11 Forwarding
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH...Rule Medium Severity -
Force frequent session key renegotiation
The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.<br> To decrease the d...Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/etc/ssh/sshd_config</code> de...Rule Medium Severity -
Use Only FIPS 140-2 Validated MACs
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-approved MACs: <pre>MACs hmac-sha2-512,hmac-sha2-2...Rule Medium Severity -
Prevent remote hosts from connecting to the proxy display
The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code> is <code>yes</code>, which prevents remote hosts...Rule Medium Severity -
Enable Smartcards in SSSD
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to <code>True</code> under the <code>[pam]</code> sec...Rule Medium Severity -
Configure SSSD to Expire SSH Known Hosts
SSSD should be configured to expire keys from known SSH hosts after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout" use="legacy"></xccdf-1.2:sub></c...Rule Medium Severity -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the s...Rule Medium Severity -
Disable graphical user interface
By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils</code> If X Windows is not installed the...Rule Medium Severity -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...Group -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to wri...Group -
Audit failure mode
This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit. This option lets you determine how you want the kernel to handle critical errors. Possibl...Value -
Record Events that Modify User/Group Information via openat syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
System Audit Logs Must Have Mode 0640 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log</pre> Configure the audit log to be p...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules