Guide to the Secure Configuration of Oracle Linux 9
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Set Account Expiration Following Inactivity in password-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Account Expiration Following Inactivity in system-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...Rule Medium Severity -
Assign Expiration Date to Emergency Accounts
Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. In...Rule Medium Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event tempo...Rule Medium Severity -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...Rule Medium Severity -
Use Centralized and Automated Authentication
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should in...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...Group -
maximum password age
Maximum age of password in daysValue -
minimum password age
Minimum age of password in daysValue -
minimum password length
Minimum number of characters in passwordValue -
warning days before password expires
The number of days' warning given before a password expires.Value -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...Rule Medium Severity -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...Rule Medium Severity -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PA...Rule Medium Severity -
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...Rule Medium Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...Rule Medium Severity -
Ensure the Logon Failure Delay is Set Correctly in login.defs
To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Password Hashing algorithm
Specify the number of SHA rounds for the system password encryption algorithm. Defines the value set in <code>/etc/pam.d/system-auth</code> and <co...Value -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...Rule Medium Severity -
Verify All Account Password Hashes are Shadowed with SHA512
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptograp...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity -
Set number of Password Hashing Rounds - password-auth
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...Rule Medium Severity -
Set number of Password Hashing Rounds - system-auth
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...Rule Medium Severity -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...Rule High Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...Group -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Group Name Used by pam_wheel Group Parameter
pam_wheel module has a parameter called group, which controls which groups can access the su command. This variable holds the valid value for the p...Value -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...Rule Medium Severity -
Ensure that System Accounts Are Locked
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be abl...Rule Medium Severity -
Ensure that System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to...Rule Medium Severity -
Restrict Serial Port Root Logins
To restrict root logins on serial ports, ensure lines of this form do not appear in/etc/securetty:ttyS0 ttyS1
Rule Medium Severity -
Restrict Virtual Console Root Logins
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <...Rule Medium Severity -
Enforce usage of pam_wheel for su authentication
To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> comm...Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FI...Rule Medium Severity -
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...Rule Low Severity -
Configure Polyinstantiation of /tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...Rule Low Severity -
Configure Polyinstantiation of /var/tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...Rule Low Severity -
User Initialization Files Must Not Run World-Writable Programs
Set the mode on files being executed by the user initialization files with the following command:$ sudo chmod o-w FILE
Rule Medium Severity -
Ensure that Users Path Contains Only Local Directories
Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working dir...Rule Medium Severity -
All Interactive Users Must Have A Home Directory Defined
Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is p...Rule Medium Severity -
All Interactive Users Home Directories Must Exist
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...Rule Medium Severity -
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive...Rule Medium Severity -
Audit failure mode
This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit. This option lets you determine how you ...Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.