Guide to the Secure Configuration of Oracle Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Install the Asset Configuration Compliance Module (ACCM)
Install the Asset Configuration Compliance Module (ACCM).Rule Medium Severity -
Install the Policy Auditor (PA) Module
Install the Policy Auditor (PA) Module.Rule Medium Severity -
Encrypt Partitions
Oracle Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. <br> ...Rule High Severity -
Ensure /boot Located On Separate Partition
It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the <code>noexec</code> mount option. Eventually, th...Rule Medium Severity -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...Rule Low Severity -
Ensure /opt Located On Separate Partition
It is recommended that the/optdirectory resides on a separate partition.Rule Medium Severity -
Ensure /srv Located On Separate Partition
If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from ...Rule Unknown Severity -
Ensure /tmp Located On Separate Partition
The/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /usr Located On Separate Partition
It is recommended that the/usrdirectory resides on a separate partition.Rule Medium Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the/var/logdirectory. Ensure that/var/loghas its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volume at installation time, or migrate it using LVM. M...Rule Low Severity -
Ensure /var/tmp Located On Separate Partition
The/var/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Medium Severity -
Configure GNOME3 DConf User Profile
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf ...Rule High Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...Group -
Disable the GNOME3 Login User List
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting <code>di...Rule Medium Severity -
Enable the GNOME3 Login Smartcard Authentication
In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication</code> to <code>true</code>. <br> <br> T...Rule Medium Severity -
Set the GNOME3 Login Number of Failures
In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting <code>...Rule Medium Severity -
Disable GDM Automatic Login
The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are...Rule High Severity -
Disable GDM Guest Login
The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access ha...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.