Guide to the Secure Configuration of Oracle Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure file name of core dumps
To set the runtime status of the <code>kernel.core_uses_pid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_uses_pid=0</pre> To make sure that the setting is p...Rule Medium Severity -
Configure maximum number of process identifiers
To set the runtime status of the <code>kernel.pid_max</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.pid_max=65536</pre> To make sure that the setting is persisten...Rule Medium Severity -
Restrict usage of ptrace to descendant processes
To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> To make sure that the sett...Rule Medium Severity -
Disable Core Dumps for All Users
To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/limits.d/</code> directory: <pre>* hard core...Rule Medium Severity -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...Rule Medium Severity -
Enable page allocator poisoning
To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>page_poison=1</code> is added ...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning
To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> <...Rule Medium Severity -
Install policycoreutils Package
Thepolicycoreutilspackage can be installed with the following command:$ sudo yum install policycoreutils
Rule Low Severity -
Verify Group Who Owns /etc/selinux Directory
To properly set the group owner of/etc/selinux, run the command:$ sudo chgrp root /etc/selinux
Rule Medium Severity -
Verify User Who Owns /etc/selinux Directory
To properly set the owner of/etc/selinux, run the command:$ sudo chown root /etc/selinux
Rule Medium Severity -
Verify Permissions On /etc/selinux Directory
To properly set the permissions of/etc/selinux, run the command:$ sudo chmod 0755 /etc/selinux
Rule Medium Severity -
Verify Group Who Owns /etc/sestatus.conf File
To properly set the group owner of/etc/sestatus.conf, run the command:$ sudo chgrp root /etc/sestatus.conf
Rule Medium Severity -
Verify User Who Owns /etc/sestatus.conf File
To properly set the owner of/etc/sestatus.conf, run the command:$ sudo chown root /etc/sestatus.conf
Rule Medium Severity -
Verify Permissions On /etc/sestatus.conf File
To properly set the permissions of/etc/sestatus.conf, run the command:$ sudo chmod 0644 /etc/sestatus.conf
Rule Medium Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...Rule Medium Severity -
Map System Users To The Appropriate SELinux Role
Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ...Rule Medium Severity -
Disable the ssh_sysadm_login SELinux Boolean
By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the ...Rule Medium Severity -
Disable the xguest_mount_media SELinux Boolean
By default, the SELinux boolean <code>xguest_mount_media</code> is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the <code>xguest_mount_...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 8 installs on a system and disable software which is n...Group -
Disable Automatic Bug Reporting Tool (abrtd)
The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to syst...Rule Medium Severity -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can lo...Rule Medium Severity -
Disable Network Router Discovery Daemon (rdisc)
The <code>rdisc</code> service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered the...Rule Medium Severity -
Disable At Service (atd)
The <code>at</code> and <code>batch</code> commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it ...Rule Medium Severity -
Verify Group Who Owns cron.d
To properly set the group owner of/etc/cron.d, run the command:$ sudo chgrp root /etc/cron.d
Rule Medium Severity -
Verify Group Who Owns cron.daily
To properly set the group owner of/etc/cron.daily, run the command:$ sudo chgrp root /etc/cron.daily
Rule Medium Severity -
Verify Group Who Owns cron.hourly
To properly set the group owner of/etc/cron.hourly, run the command:$ sudo chgrp root /etc/cron.hourly
Rule Medium Severity -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to delay execution of processes. If these files exist an...Group -
Ensure that /etc/at.deny does not exist
The file/etc/at.denyshould not exist. Use/etc/at.allowinstead.Rule Medium Severity -
Ensure that /etc/cron.deny does not exist
The file/etc/cron.denyshould not exist. Use/etc/cron.allowinstead.Rule Medium Severity -
Verify Group Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chgrp root /etc/at.al...Rule Medium Severity -
Verify Permissions on /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/at.allow</code>, run the command: <pre>$ sudo c...Rule Medium Severity -
Verify Permissions on /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/cron.allow</code>, run the command: <pre>$ su...Rule Medium Severity -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the follo...Rule Unknown Severity -
Install fapolicyd Package
Thefapolicydpackage can be installed with the following command:$ sudo yum install fapolicyd
Rule Medium Severity -
Enable the File Access Policy Service
The File Access Policy service should be enabled. Thefapolicydservice can be enabled with the following command:$ sudo systemctl enable fapolicyd.service
Rule Medium Severity -
Remove ftp Package
FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (perm...Rule Low Severity -
Configure Firewalls to Protect the FTP Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic, one must edit <code>/etc/sysconfig/iptables</code>...Rule Unknown Severity -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap-clients</code> package can be removed wit...Rule Low Severity -
Configure LDAP Client to Use TLS For All Transactions
This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions. <br> <br> To determine if LDAP is being used for authentication, use t...Rule Medium Severity -
Configure Certificate Directives for LDAP Use of TLS
Ensure a copy of a trusted CA certificate has been placed in the file <code>/etc/pki/tls/CA/cacert.pem</code>. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, ...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo yum erase nfs-utils
Rule Low Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...Group -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...Rule Medium Severity -
Enable the NTP Daemon
Thentpdservice can be enabled with the following command:$ sudo systemctl enable ntpd.service
Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules