Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...
    Rule Low Severity
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...
    Rule High Severity
    Show

  • Configure the Exports File Restrictively

    Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...
    Group
    Show

  • Export Filesystems Read-Only if Possible

    If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...
    Group
    Show

  • Use Access Lists to Enforce Authorization Restrictions

    When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...
    Group
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
    Show

  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
    Show

  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
    Show

  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
    Show

  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
    Show

  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity
    Show

  • Enable the NTP Daemon

    As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> p...
    Rule Medium Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...
    Group
    Show

  • TFTP server secure directory

    Specify the directory which is used by TFTP server as a root directory when running in secure mode.
    Value
    Show

  • Enable the NTP Daemon

    The <code>ntpd</code> service can be enabled with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: Machine...
    Rule Medium Severity
    Show

  • Disable chrony daemon from acting as server

    The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port f...
    Rule Low Severity
    Show

  • Disable network management of chrony daemon

    The <code>cmdport</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to stop chrony daemon from listening on the UDP port ...
    Rule Low Severity
    Show

  • Configure Time Service Maxpoll Interval

    The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...
    Rule Medium Severity
    Show

  • Specify Additional Remote NTP Servers

    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured ...
    Rule Medium Severity
    Show

  • Specify a Remote NTP Server

    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured ...
    Rule Medium Severity
    Show

  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
    Show

  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
    Show

  • Specify Additional Remote NTP Servers

    Additional NTP servers can be specified for time synchronization in the file <code>/etc/ntp.conf</code>. To do so, add additional lines of the fol...
    Rule Unknown Severity
    Show

  • Specify a Remote NTP Server

    To specify a remote NTP server for time synchronization, edit the file <code>/etc/ntp.conf</code>. Add or correct the following lines, substituting...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
    Show

  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print...
    Group
    Show

  • Configure the CUPS Service if Necessary

    CUPS provides the ability to easily share local printers with other systems over the network. It does this by allowing systems to share lists of av...
    Group
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow throug...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Remote Authentication Dial-In User Service (RADIUS)

    Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Auth...
    Group
    Show

  • Hardware RNG Entropy Gatherer Daemon

    The rngd feeds random data from hardware device to kernel random device.
    Group
    Show

  • Enable the Hardware RNG Entropy Gatherer Service

    The Hardware RNG Entropy Gatherer service should be enabled. The <code>rngd</code> service can be enabled with the following manifest: <pre> --- a...
    Rule Low Severity
    Show

  • Network Routing

    A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to ...
    Group
    Show

  • Disable Quagga if Possible

    If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.
    Group
    Show

  • Samba(SMB) Microsoft Windows File Sharing Server

    When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two soft...
    Group
    Show

  • Configure Samba if Necessary

    All settings for the Samba daemon can be found in <code>/etc/samba/smb.conf</code>. Settings are divided between a <code>[global]</code> configurat...
    Group
    Show

  • SSH Server Listening Port

    Specify port the SSH server is listening.
    Value
    Show

  • SSH Max authentication attempts

    Specify the maximum number of authentication attempts per connection.
    Value
    Show

  • SSH is required to be installed

    Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 mea...
    Value
    Show

  • Restrict Printer Sharing

    By default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the...
    Group
    Show

  • Restrict SMB File Sharing to Configured Networks

    Only users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network address...
    Group
    Show

  • Disable Samba if Possible

    Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to pr...
    Group
    Show

  • SNMP Server

    The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP w...
    Group
    Show

  • Disable SNMP Server if Possible

    The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but...
    Group
    Show

  • Configure SNMP Server if Necessary

    If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation...
    Group
    Show

  • SNMP read-only community string

    Specify the SNMP community string used for read-only access.
    Value
    Show

  • SNMP read-write community string

    Specify the SNMP community string used for read-write access.
    Value
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules