Skip to content
Log In

Guide to the Secure Configuration of Oracle Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Inspect and Activate Default firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. <code>NetworkManager</code>...
    Group
    Show

  • Verify firewalld Enabled

    The firewalld service can be enabled with the following command: 
    $ sudo systemctl enable firewalld.service
    Rule Medium Severity
    Show

  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the <code>/etc/firewalld/services</code> and <code>...
    Group
    Show

  • Set Default ip6tables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/ip6tables</code>: <pre...
    Rule Medium Severity
    Show

  • Set Default firewalld Zone for Incoming Packets

    To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in <code>/etc/firewalld/firewalld.conf</code> to...
    Rule Medium Severity
    Show

  • IPSec Support

    Support for Internet Protocol Security (IPsec) is provided with Libreswan.
    Group
    Show

  • Install libreswan Package

    The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The <code>libreswan</code> package can be installed with the...
    Rule Medium Severity
    Show

  • Verify Any Configured IPSec Tunnel Connections

    Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements su...
    Rule Medium Severity
    Show

  • iptables and ip6tables

    A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...
    Group
    Show

  • Install iptables Package

    The iptables package can be installed with the following command: 
    $ sudo yum install iptables
    Rule Medium Severity
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

  • Verify iptables Enabled

    The iptables service can be enabled with the following command: 
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/iptables</code>: <pre>...
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Forwarded Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...
    Rule Medium Severity
    Show

  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...
    Group
    Show

  • Disable Support for IPv6 Unless Needed

    Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively pre...
    Group
    Show

  • Disable IPv6 Networking Support Automatic Loading

    To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...
    Rule Medium Severity
    Show

  • Disable Support for RPC IPv6

    RPC services for NFSv4 try to load transport modules for <code>udp6</code> and <code>tcp6</code> by default, even if IPv6 has been disabled in <code>/etc/modprobe.d</code>. To prevent RPC services ...
    Rule Unknown Severity
    Show

  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...
    Rule Medium Severity
    Show

  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually...
    Group
    Show

  • net.ipv6.conf.all.accept_ra_defrtr

    Accept default router in router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_ra

    Accept all router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_redirects

    Toggle ICMP Redirect Acceptance
    Value
    Show

  • net.ipv6.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv6.conf.all.autoconf

    Enable auto configuration on IPv6 interfaces
    Value
    Show

  • net.ipv6.conf.all.forwarding

    Toggle IPv6 Forwarding
    Value
    Show

  • net.ipv6.conf.all.max_addresses

    Maximum number of autoconfigured IPv6 addresses
    Value
    Show

  • net.ipv6.conf.all.router_solicitations

    Accept all router solicitations?
    Value
    Show

  • net.ipv6.conf.default.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv6.conf.default.autoconf

    Enable auto configuration on IPv6 interfaces
    Value
    Show

  • net.ipv6.conf.default.max_addresses

    Maximum number of autoconfigured IPv6 addresses
    Value
    Show

  • net.ipv6.conf.default.router_solicitations

    Accept all router solicitations by default?
    Value
    Show

  • Manually Assign IPv6 Router Address

    Edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>, and add or correct the following line (substituting your gateway IP as appropriate): <pre>IPV6_DEFAULTGW=...
    Rule Unknown Severity
    Show

  • Use Privacy Extensions for Address

    To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>: <pre>IPV6...
    Rule Unknown Severity
    Show

  • Manually Assign Global IPv6 Address

    To manually assign an IP address for an interface, edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>. Add or correct the following line (substituting the co...
    Rule Unknown Severity
    Show

  • Configure Accepting Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> To make sure that th...
    Rule Medium Severity
    Show

  • Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0</pre> To mak...
    Rule Unknown Severity
    Show

  • Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0</pre> To make ...
    Rule Unknown Severity
    Show

  • Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0</pre> To...
    Rule Unknown Severity
    Show

  • Disable Accepting ICMP Redirects for All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> To mak...
    Rule Medium Severity
    Show

  • Configure Auto Configuration on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.autoconf=0</pre> To make sure that the ...
    Rule Unknown Severity
    Show

  • Disable Kernel Parameter for IPv6 Forwarding

    To set the runtime status of the <code>net.ipv6.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.forwarding=0</pre> To make sure that ...
    Rule Medium Severity
    Show

  • Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1</pre> To make sure...
    Rule Unknown Severity
    Show

  • Configure Denying Router Solicitations on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0</pre...
    Rule Unknown Severity
    Show

  • Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</pre> To make sure...
    Rule Medium Severity
    Show

  • Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0</pre...
    Rule Unknown Severity
    Show

  • Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0</pre> ...
    Rule Unknown Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules