Guide to the Secure Configuration of Oracle Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> to <code>/etc/dconf/db/local....Rule Medium Severity -
PAM pwhistory remember - control flag
'Specify the control flag required for password remember requirement. If multiple values are allowed write them separated by commas as in "required,requisite", for remediations the first value will...Value -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</co...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> to <code>/etc/dconf/db/local.d/locks/00-...Rule Medium Severity -
Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <code>picture-uri</code> to <code>string ''</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For...Rule Medium Severity -
Disable Full User Name on Splash Shield
By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be dis...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Settings
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> to <code>/etc/dconf/db/local.d/locks/00-...Rule Medium Severity -
Sudo - timestamp_timeout value
Defines the number of minutes that can elapse before <code>sudo</code> will ask for a passwd again. If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always pr...Value -
Sudo - umask value
Specify the sudo umask to use. The actual umask value that is used is the union of the user's umask and the sudo umask. The default sudo umask is 0022. This guarantess sudo never lowers the umask w...Value -
Ensure Users Cannot Change GNOME3 Session Idle Settings
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code> to <code>/etc/dconf/db/local.d/locks/00-security...Rule Medium Severity -
GNOME System Settings
GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do...Group -
Disable Geolocation in GNOME3
<code>GNOME</code> allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the sys...Rule Medium Severity -
Disable User Administration in GNOME3
By default, <code>GNOME</code> will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To config...Rule High Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...Group -
Group name dedicated to the use of sudo
Specify the name of the group that should own /usr/bin/sudo.Value -
Sudo - logfile value
Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log.Value -
Sudo - passwd_timeout value
Defines the number of minutes before thesudopassword prompt times out. Defining 0 means no timeout. The default timeout value is 5 minutes.Value -
tally2
Number of failed login attemptsValue -
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. On Oracle Linux 8, <code>ignore_dot</code> is enabled by default This shoul...Rule Medium Severity -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXE...Rule High Severity -
Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout
The sudo <code>passwd_timeout</code> tag sets the amount of time sudo password prompt waits. On Oracle Linux 8, the default <code>passwd_timeout</code> value is 5 minutes. The passwd_timeout shoul...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag ...Rule Medium Severity -
Ensure sudo umask is appropriate - sudo umask
The sudo <code>umask</code> tag, when specified, will be added the to the user's umask in the command environment. On Oracle Linux 8, the default <code>umask</code> value is 0022. The umask should...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>use_pty</code> tag exists...Rule Medium Severity -
Ensure Sudo Logfile Exists - sudo logfile
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.Rule Low Severity -
Ensure a dedicated group owns sudo
Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Uninstall abrt-addon-ccpp Package
Theabrt-addon-ccpppackage can be removed with the following command:$ sudo yum erase abrt-addon-ccpp
Rule Low Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo
The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making ...Rule Medium Severity -
The operating system must restrict privilege elevation to authorized personnel
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file...Rule Medium Severity -
Only the VDSM User Can Use sudo NOPASSWD
The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the <code>vdsm</code> user should have this capability in any s...Rule Medium Severity -
Ensure sudo only includes the default configuration directory
Administrators can configure authorized <code>sudo</code> users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Mak...Rule Medium Severity -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...Rule Medium Severity -
Don't define allowed commands in sudoers by means of exclusion
Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications. T...Rule Medium Severity -
Ensure gpgcheck Enabled for Repository Metadata
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Ch...Rule High Severity -
Don't target root user in the sudoers file
The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of targe...Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Install binutils Package
Thebinutilspackage can be installed with the following command:$ sudo yum install binutils
Rule Medium Severity -
Ensure gnutls-utils is installed
Thegnutls-utilspackage can be installed with the following command:$ sudo yum install gnutls-utils
Rule Medium Severity -
Install libcap-ng-utils Package
Thelibcap-ng-utilspackage can be installed with the following command:$ sudo yum install libcap-ng-utils
Rule Medium Severity -
Ensure nss-tools is installed
Thenss-toolspackage can be installed with the following command:$ sudo yum install nss-tools
Rule Medium Severity -
Install openscap-scanner Package
Theopenscap-scannerpackage can be installed with the following command:$ sudo yum install openscap-scanner
Rule Medium Severity -
Install rear Package
Therearpackage can be installed with the following command:$ sudo yum install rear
Rule Medium Severity -
Install rng-tools Package
Therng-toolspackage can be installed with the following command:$ sudo yum install rng-tools
Rule Low Severity -
Install scap-security-guide Package
Thescap-security-guidepackage can be installed with the following command:$ sudo yum install scap-security-guide
Rule Medium Severity -
Install tar Package
Thetarpackage can be installed with the following command:$ sudo yum install tar
Rule Medium Severity -
Uninstall abrt-addon-python Package
Theabrt-addon-pythonpackage can be removed with the following command:$ sudo yum erase abrt-addon-python
Rule Low Severity -
Uninstall abrt-cli Package
Theabrt-clipackage can be removed with the following command:$ sudo yum erase abrt-cli
Rule Low Severity -
Uninstall abrt-libs Package
Theabrt-libspackage can be removed with the following command:$ sudo yum erase abrt-libs
Rule Medium Severity -
Uninstall abrt-plugin-logger Package
Theabrt-plugin-loggerpackage can be removed with the following command:$ sudo yum erase abrt-plugin-logger
Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.