Guide to the Secure Configuration of Oracle Linux 9
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SSSD LDAP Backend Client CA Certificate Location
Path of a directory that contains Certificate Authority certificates.Value -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
Theusbguardpackage can be installed with the following command:$ sudo yum install usbguard
Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...Rule Low Severity -
Authorize Human Interface Devices and USB hubs in USBGuard daemon
To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-inter...Rule Medium Severity -
Generate USBGuard Policy
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable graphical user interface
By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-serv...Rule Medium Severity -
Disable X Windows Startup By Setting Default Target
Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accident...Rule Medium Severity -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Oracle Linux 9 operating system. Recommende...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group -
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...Group -
Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Oracle Linux 9,the RPM Package Manager (originally R...Group -
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...Group -
Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...Group -
How to Use This Guide
Readers should heed the following points when using the guide.Group -
Formatting Conventions
Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...Group -
Root Shell Environment Assumed
Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash...Group -
Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...Group -
389 Directory Server
389 Directory Server is a popular open-source LDAP server for Linux.Group -
SSH Strong MACs by FIPS
Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.Value -
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.i...Rule Medium Severity -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...Rule High Severity -
Verify and Correct Ownership with RPM
The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system ...Rule High Severity -
Verify and Correct File Permissions with RPM
The RPM package management system can check file access permissions of installed software packages, including many that are important to system sec...Rule High Severity -
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the ...Rule Medium Severity -
Ensure /dev/shm is configured
The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...Rule Low Severity -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...Rule Medium Severity -
Record Attempts to perform maintenance activities
The Oracle Linux 9 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other syst...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for b...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...Group -
NetoworkManager DNS Mode
This sets how NetworkManager handles DNS. none - NetworkManager will not modify resolv.conf. default - NetworkManager will update /etc/resolv.con...Value -
Enable SSH Server firewalld Firewall Exception
If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...Rule Medium Severity -
Type of hostname to record the audit event
Type of hostname to record the audit eventValue -
Set type of computer node name logging in audit logs
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:su...Rule Medium Severity -
Perform general configuration of Audit for OSPP
Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...Rule Medium Severity -
Configure Microarchitectural Data Sampling mitigation
Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in vario...Rule Medium Severity -
Restrict unprivileged access to the kernel syslog
Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at...Rule Medium Severity -
Disable mutable hooks
Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of ...Rule Medium Severity -
Dectivate firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffi...Group -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky b...Rule Medium Severity -
Ensure No World-Writable Files Exist
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific a...Rule Medium Severity -
Ensure All Files Are Owned by a Group
If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, tho...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.