Guide to the Secure Configuration of Anolis OS 23
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Samba
Thesmbservice can be disabled with the following command:$ sudo systemctl mask --now smb.service
Rule Low Severity -
SSH is required to be installed
Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 means that the policy doesn't care if OpenSSH server ...Value -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock</b>. <br> <br> The following sections deta...Group -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...Group -
Disable XDMCP in GDM
XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. <a href="https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity">XDMCP Gnome docs</a>. To dis...Rule High Severity -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...Group -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...Rule High Severity -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...Group -
Configure Periodic Execution of AIDE
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root ...Rule Medium Severity -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore ...Rule High Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...Group -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...Rule Medium Severity -
Updating Software
The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administration...Group -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the ...Rule High Severity -
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. T...Rule High Severity -
Modify the System Login Banner
To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ei...Rule Medium Severity -
Modify the System Message of the Day Banner
To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is eit...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...Group -
Password Hashing algorithm for pam_unix.so
Specify the system default encryption algorithm for encrypting passwords. Defines the hashing algorithm to be used in pam_unix.so.Value -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</code> section of the file controls which PAM modules ...Rule Medium Severity -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> <br> By default, Emergency mode is protected by...Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...Rule Medium Severity -
Set Existing Passwords Minimum Age
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:$ sudo chage -m 1 USERRule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_WARN_AGE <...Rule Medium Severity -
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty</code> file. This file lists all devices the root...Rule Medium Severity -
Ensure the Logon Failure Delay is Set Correctly in login.defs
To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in <code>/etc/login.defs</code> to read as follows: ...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurr...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...Rule Medium Severity -
Ensure that User Home Directories are not Group-Writable or World-Readable
For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i> </pre> Ensure that the directory is not group-writable and that it is n...Rule Medium Severity -
Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:# ls -ld DIRand ensure that write permissions are disabled for group and other.Rule Medium Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...Group -
Disable Recovery Booting
Anolis OS 23 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_RECOVERY</code> configuration option in <code>/etc/default/gru...Rule Medium Severity -
Configure L1 Terminal Fault mitigations
L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Sele...Rule High Severity -
Configure the confidence in TPM for entropy
The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not credited entropy. Use <code>rng_core.default_quality<...Rule Low Severity -
Configure Speculative Store Bypass Mitigation
Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory loca...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 700. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command: <pre>$ sudo chmod 700 /boot/grub...Rule Medium Severity -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...Rule High Severity -
Configure Low Address Space To Protect From User Allocation
This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The ...Rule Medium Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Ensure Rsyslog Encrypts Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity -
Ensure Rsyslog Encrypts Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules