Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command returns any results, this is a finding. Configure ...Rule High Severity -
dcredit
Minimum number of digits in passwordValue -
lcredit
Minimum number of lower case in passwordValue -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
ocredit
Minimum number of other (special characters) in passwordValue -
retry
Number of retry attempts before erroring outValue -
ucredit
Minimum number of upper case in passwordValue -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Login timeout for idle sessions
Specify duration of allowed idle time.Value -
Verify that Interactive Boot is Disabled
Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4 system, interactive bo...Rule Medium Severity -
Ensure there are no legacy + NIS entries in /etc/group
The+character in/etc/groupfile marks a place where entries from a network information service (NIS) should be directly inserted.Rule Medium Severity -
Disable Ctrl-Alt-Del Reboot Activation
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> k...Rule High Severity -
Verify that Interactive Boot is Disabled
Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4 system, interactive bo...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for s...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...Group -
Support session locking with tmux
Thetmuxterminal multiplexer is used to implement automatic session locking. It should be started from/etc/bashrcor drop-in files within/etc/profile.d/.Rule Medium Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option has to be set to a value greater than 0 and less tha...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.