Skip to content
Log In

Guide to the Secure Configuration of Oracle Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...
    Rule Medium Severity
    Show

  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
    Show

  • kernel.kptr_restrict

    Configure exposition of kernel pointer addresses
    Value
    Show

  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...
    Rule Medium Severity
    Show

  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Int...
    Group
    Show

  • Enable NX or XD Support in the BIOS

    Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section....
    Rule Medium Severity
    Show

  • Install PAE Kernel on Supported 32-bit x86 Systems

    Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and ...
    Rule Unknown Severity
    Show

  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory.
    Group
    Show

  • slub_debug - debug options

    Defines the debug options to use in slub_debug kernel command line argument.
    Value
    Show

  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>page_poison=1</code> is added ...
    Rule Medium Severity
    Show

  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> <...
    Rule Medium Severity
    Show

  • SELinux policy

    Type of policy in use. Possible values are:
    targeted - Only targeted network daemons are protected.
    strict - Full SELinux protection.
    mls - Multiple levels of security
    Value
    Show

  • SELinux state

    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.
    disabled - SELinux is fully disabled.
    Value
    Show

  • Install libselinux Package

    The libselinux package can be installed with the following command: 
    $ sudo yum install libselinux
    Rule High Severity
    Show

  • Install policycoreutils Package

    The policycoreutils package can be installed with the following command: 
    $ sudo yum install policycoreutils
    Rule Low Severity
    Show

  • Uninstall setroubleshoot-plugins Package

    The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroub...
    Rule Low Severity
    Show

  • Uninstall setroubleshoot-server Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...
    Rule Low Severity
    Show

  • Uninstall setroubleshoot Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...
    Rule Low Severity
    Show

  • Ensure SELinux Not Disabled in the kernel arguments

    SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of <code>selinux=0</code> from the kernel arguments in that file to prevent SELinux from being disab...
    Rule Medium Severity
    Show

  • Ensure SELinux Not Disabled in /etc/default/grub

    SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kernel arguments in that file to prevent SELinux from ...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules