Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credentials_expiration</code> to <code>1</code> under the <c...Rule Medium Severity -
Configure SSSD to run as user sssd
SSSD processes should be configured to run as user sssd, not root.Rule Medium Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
The <code>usbguard</code> package can be installed with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfig...Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbguard-daemon.conf</code> needs to be set to <code>Lin...Rule Low Severity -
Authorize Human Interface Devices in USBGuard daemon
To allow authorization of Human Interface Devices (keyboard, mouse) by USBGuard daemon, add the lineallow with-interface match-all { 03:*:* }to/etc/usbguard/rules.conf.Rule Medium Severity -
Authorize Human Interface Devices and USB hubs in USBGuard daemon
To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-interface match-all { 03:*:* 09:00:* }</code> to <code>...Rule Medium Severity -
Authorize USB hubs in USBGuard daemon
To allow authorization of USB hub devices by USBGuard daemon, add lineallow with-interface match-all { 09:00:* }to/etc/usbguard/rules.conf.Rule Medium Severity -
Verify /boot/grub2/user.cfg Group Ownership
The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/boot/grub2...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules