Guide to the Secure Configuration of Alibaba Cloud Linux 3
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Accounts Authorized Local Users on the Operating System
List the user accounts that are authorized locally on the operating system. This list includes both users requried by the operating system and by t...Value -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...Group -
number of days after the last login of the user when the user will be locked out
'This option is specific for the auth or account phase. It specifies the number of days after the last login of the user when the user will be lock...Value -
number of days after a password expires until the account is permanently disabled
The number of days to wait after a password expires, until the account will be permanently disabled.Value -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...Rule Medium Severity -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...Rule Medium Severity -
Use Centralized and Automated Authentication
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should in...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...Group -
maximum password age
Maximum age of password in daysValue -
minimum password age
Minimum age of password in daysValue -
minimum password length
Minimum number of characters in passwordValue -
warning days before password expires
The number of days' warning given before a password expires.Value -
conman_can_network SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...Rule Medium Severity -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PA...Rule Medium Severity -
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Password Hashing algorithm
Specify the number of SHA rounds for the system password encryption algorithm. Defines the value set in <code>/etc/pam.d/system-auth</code> and <co...Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.