Guide to the Secure Configuration of Red Hat Virtualization 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Add noexec Option to Removable Media Partitions
The <code>noexec</code> mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binari...Rule Medium Severity -
Add nosuid Option to Removable Media Partitions
The <code>nosuid</code> mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These perm...Rule Medium Severity -
Add nosuid Option to /opt
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/opt</code>. The SUID and SGID permissions should...Rule Medium Severity -
Add nosuid Option to /srv
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/srv</code>. The SUID and SGID permissions should...Rule Medium Severity -
Add noexec Option to /var
The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var</code>. Add the <code>noexec</code> opti...Rule Medium Severity -
kernel.unprivileged_bpf_disabled
Prevent unprivileged processes from using the bpf() syscall.Value -
Install libselinux Package
Thelibselinuxpackage can be installed with the following command:$ sudo yum install libselinux
Rule High Severity -
daemons_dump_core SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
daemons_enable_cluster_mode SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Disable the uvcvideo module
If the device contains a camera it should be covered or disabled when not in use.Rule Medium Severity -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...Rule Low Severity -
Kernel panic on oops
To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_...Rule Medium Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...Group -
Disable core dump backtraces
The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in ...Rule Medium Severity -
Disable storing core dump
The <code>Storage</code> option in <code>[Coredump]</code> sectionof <code>/etc/systemd/coredump.conf</code> can be set to <code>none</code> to dis...Rule Medium Severity -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...Rule Medium Severity -
Daemon Umask
The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initializati...Group -
daemon umask
Enter umask for daemonsValue -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.