Guide to the Secure Configuration of Oracle Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Inspect and Activate Default firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. <code>NetworkManager</code>...Group -
Install firewalld Package
Thefirewalldpackage can be installed with the following command:$ sudo yum install firewalld
Rule Medium Severity -
Verify firewalld Enabled
Thefirewalldservice can be enabled with the following command:$ sudo systemctl enable firewalld.service
Rule Medium Severity -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the <code>/etc/firewalld/services</code> and <code>...Group -
Verify User Who Owns /etc/ipsec.secrets File
To properly set the owner of/etc/ipsec.secrets, run the command:$ sudo chown root /etc/ipsec.secrets
Rule Medium Severity -
Configure the Firewalld Ports
Configure the <code>firewalld</code> ports to allow approved services to have access to the system. To configure <code>firewalld</code> to open ports, run the following command: <pre>firewall-cmd -...Rule Medium Severity -
Configure Firewalld to Restrict Loopback Traffic
Configure <code>firewalld</code> to restrict loopback traffic to the <code>lo</code> interface. The loopback traffic must be trusted by assigning the <code>lo</code> interface to the <code>firewal...Rule Medium Severity -
Configure Firewalld to Trust Loopback Traffic
Assign loopback interface to the <code>firewalld</code> <code>trusted</code> zone in order to explicitly allow the loopback traffic in the system. To configure <code>firewalld</code> to t...Rule Medium Severity -
Set Default firewalld Zone for Incoming Packets
To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in <code>/etc/firewalld/firewalld.conf</code> to...Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.d Directory
To properly set the group owner of/etc/ipsec.d, run the command:$ sudo chgrp root /etc/ipsec.d
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.d Directory
To properly set the owner of/etc/ipsec.d, run the command:$ sudo chown root /etc/ipsec.d
Rule Medium Severity -
Verify Permissions On /etc/ipsec.d Directory
To properly set the permissions of/etc/ipsec.d, run the command:$ sudo chmod 0700 /etc/ipsec.d
Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.conf File
To properly set the group owner of/etc/ipsec.conf, run the command:$ sudo chgrp root /etc/ipsec.conf
Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.secrets File
To properly set the group owner of/etc/ipsec.secrets, run the command:$ sudo chgrp root /etc/ipsec.secrets
Rule Medium Severity -
iptables and ip6tables
A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...Group -
Install iptables Package
Theiptablespackage can be installed with the following command:$ sudo yum install iptables
Rule Medium Severity -
Verify Group Who Owns /etc/iptables Directory
To properly set the group owner of/etc/iptables, run the command:$ sudo chgrp root /etc/iptables
Rule Medium Severity -
Verify User Who Owns /etc/iptables Directory
To properly set the owner of/etc/iptables, run the command:$ sudo chown root /etc/iptables
Rule Medium Severity -
Verify Permissions On /etc/iptables Directory
To properly set the permissions of/etc/iptables, run the command:$ sudo chmod 0700 /etc/iptables
Rule Medium Severity -
Inspect and Activate Default Rules
View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...Group -
Verify ip6tables Enabled if Using IPv6
Theip6tablesservice can be enabled with the following command:$ sudo systemctl enable ip6tables.service
Rule Medium Severity -
Verify iptables Enabled
Theiptablesservice can be enabled with the following command:$ sudo systemctl enable iptables.service
Rule Medium Severity -
Set Default ip6tables Policy for Incoming Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/ip6tables</code>: <pre...Rule Medium Severity -
Disable Accepting Packets Routed Between Local Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</pre> To make sure t...Rule Medium Severity -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <code>iptables</code> and <code>ip6tables</code> in t...Group -
Set Default iptables Policy for Forwarded Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...Rule Medium Severity -
Ensure IPv6 is disabled through kernel boot parameter
To disable IPv6 protocol support in the Linux kernel, add the argument <code>ipv6.disable=1</code> to the default GRUB2 command line for the Linux operating system. To ensure that <code>ipv6.disabl...Rule Low Severity -
Manually Assign IPv6 Router Address
Edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>, and add or correct the following line (substituting your gateway IP as appropriate): <pre>IPV6_DEFAULTGW=...Rule Unknown Severity -
Configure Accepting Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> To make sure that th...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default
To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0</pre> ...Rule Unknown Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Configure Response Mode of ARP Requests for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=...Rule Medium Severity -
Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
Make sure that the system is configured to limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid ...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Install nftables Package
nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Ne...Rule Medium Severity -
Deactivate Wireless Network Interfaces
Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br> <br> Configure the system to disable all wireless network interfaces with the followi...Rule Medium Severity -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Verify that system commands directories have root as a group owner
System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...Rule Medium Severity -
Verify that system commands directories have root ownership
System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...Rule Medium Severity -
Verify Group Who Owns /etc/crypttab File
To properly set the group owner of/etc/crypttab, run the command:$ sudo chgrp root /etc/crypttab
Rule Medium Severity -
Verify Group Who Owns System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...Rule Low Severity -
Verify User Who Owns /etc/crypttab File
To properly set the owner of/etc/crypttab, run the command:$ sudo chown root /etc/crypttab
Rule Medium Severity -
Verify User Who Owns System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...Rule Low Severity -
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
System-wide library files are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pre> All system-wide shared library files should be protected from unauthorised ...Rule Medium Severity -
Disable Mounting of jffs2
To configure the system to prevent the <code>jffs2</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/jffs2.conf</code>: <pre>install jffs2 /bin/false...Rule Low Severity -
Disable Mounting of squashfs
To configure the system to prevent the <code>squashfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/squashfs.conf</code>: <pre>install squashfs /...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.