Skip to content
Log In

Guide to the Secure Configuration of Oracle Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • System Settings

    Contains rules that check correct system settings.
    Group
    Show

  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.
    Group
    Show

  • Prefer to use a 64-bit Operating System when supported

    Prefer installation of 64-bit operating systems when the CPU supports it.
    Rule Medium Severity
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...
    Group
    Show

  • Disable Prelinking

    The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file <code>/etc/sysconfig/prelink</code>: <...
    Rule Medium Severity
    Show

  • net.ipv6.conf.default.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
    Show

  • net.ipv6.conf.default.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
    Show

  • net.ipv6.conf.default.accept_ra

    Accept default router advertisements by default?
    Value
    Show

  • net.ipv6.conf.default.accept_redirects

    Toggle ICMP Redirect Acceptance By Default
    Value
    Show

  • Install Intrusion Detection Software

    The base Oracle Linux 7 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities ...
    Rule High Severity
    Show

  • McAfee Endpoint Security Software

    In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.
    Group
    Show

  • Install McAfee Virus Scanning Software

    Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.
    Rule High Severity
    Show

  • McAfee Host-Based Intrusion Detection Software (HBSS)

    McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.
    Group
    Show

  • Sudo - passwd_timeout value

    Defines the number of minutes before the sudo password prompt times out. Defining 0 means no timeout. The default timeout value is 5 minutes.
    Value
    Show

  • Install the McAfee Runtime Libraries and Linux Agent

    Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).
    Rule Medium Severity
    Show

  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
    Show

  • Sudo - timestamp_timeout value

    Defines the number of minutes that can elapse before <code>sudo</code> will ask for a passwd again. If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always pr...
    Value
    Show

  • Integrity Scan Notification Email Address

    Specify the email address for designated personnel if baseline configurations are changed in an unauthorized manner.
    Value
    Show

  • Verify Integrity with RPM

    The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...
    Group
    Show

  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...
    Group
    Show

  • Install AIDE

    The aide package can be installed with the following command: 
    $ sudo yum install aide
    Rule Medium Severity
    Show

  • Build and Test AIDE Database

    Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...
    Rule Medium Severity
    Show

  • Configure Notification of Post-AIDE Scan Details

    AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the fo...
    Rule Medium Severity
    Show

  • Sudo - umask value

    Specify the sudo umask to use. The actual umask value that is used is the union of the user's umask and the sudo umask. The default sudo umask is 0022. This guarantess sudo never lowers the umask w...
    Value
    Show

  • System Cryptographic Policies

    Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy applicable for the various cryptographic back-ends, ...
    Group
    Show

  • Configure AIDE to Use FIPS 140-2 for Validating Hashes

    By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code> option is missing, add <code>sha512</code> to th...
    Rule Medium Severity
    Show

  • Configure AIDE to Verify Extended Attributes

    By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> to the...
    Rule Low Severity
    Show

  • Install the dracut-fips-aesni Package

    To enable FIPS on system that support the Advanced Encryption Standard (AES) or New Instructions (AES-NI) engine, the system requires that the <code>dracut-fips-aesni</code> package be installed. T...
    Rule Medium Severity
    Show

  • Install the dracut-fips Package

    To enable FIPS, the system requires that the <code>dracut-fips</code> package be installed. The <code>dracut-fips</code> package can be installed with the following command: <pre> $ sudo yum instal...
    Rule Medium Severity
    Show

  • Ensure '/etc/system-fips' exists

    On a system where FIPS mode is enabled, /etc/system-fips must exist. To enable FIPS mode, run the following command: 
    fips-mode-setup --enable
    Rule High Severity
    Show

  • Harden SSH client Crypto Policy

    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. To override the system wide crypto policy for Openssh client, place a file ...
    Rule Medium Severity
    Show

  • Harden SSHD Crypto Policy

    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server. The SSHD service is by default configured to modify its configuration based...
    Rule Medium Severity
    Show

  • Operating System Vendor Support and Certification

    The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A ce...
    Group
    Show

  • The Installed Operating System Is FIPS 140-2 Certified

    To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard.
    Rule High Severity
    Show

  • The Installed Operating System Is Vendor Supported

    The installed operating system must be maintained by a vendor. Oracle Linux is supported by Oracle Corporation. As the Oracle Linux vendor, Oracle Corporation is responsible for providing security...
    Rule High Severity
    Show

  • Endpoint Protection Software

    Endpoint protection security software that is not provided or supported by Oracle Corporation can be installed to provide complementary or duplicative security capabilities to those provided by t...
    Group
    Show

  • Configure Backups of User Data

    The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source pro...
    Rule Medium Severity
    Show

  • Install Virus Scanning Software

    Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configu...
    Rule High Severity
    Show

  • Account Lockouts Must Be Logged

    PAM faillock locks an account due to excessive password failures, this event must be logged.
    Rule Medium Severity
    Show

  • Install the Host Intrusion Prevention System (HIPS) Module

    Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.
    Rule Medium Severity
    Show

  • Install the Asset Configuration Compliance Module (ACCM)

    Install the Asset Configuration Compliance Module (ACCM).
    Rule Medium Severity
    Show

  • Install the Policy Auditor (PA) Module

    Install the Policy Auditor (PA) Module.
    Rule Medium Severity
    Show

  • Encrypt Partitions

    Oracle Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. <br> ...
    Rule High Severity
    Show

  • Ensure /boot Located On Separate Partition

    It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the <code>noexec</code> mount option. Eventually, th...
    Rule Medium Severity
    Show

  • Ensure /home Located On Separate Partition

    If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...
    Rule Low Severity
    Show

  • Ensure /opt Located On Separate Partition

    It is recommended that the /opt directory resides on a separate partition.
    Rule Medium Severity
    Show

  • Ensure /srv Located On Separate Partition

    If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from ...
    Rule Unknown Severity
    Show

  • Ensure /tmp Located On Separate Partition

    The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
    Rule Low Severity
    Show

  • Ensure /usr Located On Separate Partition

    It is recommended that the /usr directory resides on a separate partition.
    Rule Medium Severity
    Show

  • Ensure /var Located On Separate Partition

    The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...
    Rule Low Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules