Guide to the Secure Configuration of Anolis OS 23
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"></xccdf-1.2:sub> as the hash func...Rule Medium Severity -
Specify module signing key to use
Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of...Rule Medium Severity -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
Sign kernel modules with SHA-512
This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check th...Rule Medium Severity -
Enable poison without sanity check
Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This configuration is available from kernel 4.6. The configu...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules