Guide to the Secure Configuration of Anolis OS 23
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable named Service
Thenamedservice can be disabled with the following command:$ sudo systemctl mask --now named.service
Rule Medium Severity -
Isolate DNS from Other Services
This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of...Group -
Run DNS Software in a chroot Jail
Install the <code>bind-chroot</code> package: <pre>$ sudo yum install bind-chroot</pre> Place a valid named.conf file inside the chroot jail: <pre>...Group -
Use Views to Partition External and Internal Information
If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit ...Group -
Run Separate DNS Servers for External and Internal Queries
Is it possible to run external and internal nameservers on separate systems? If so, follow the configuration guidance in this section. On the exter...Group -
Docker Service
The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation fe...Group -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...Group -
fapolicyd Must be Configured to Limit Access to Users Home Folders
fapolicyd needs be configured so that users cannot give access to their home folders to other users.Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...Group -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Disable vsftpd Service
Thevsftpdservice can be disabled with the following command:$ sudo systemctl mask --now vsftpd.service
Rule Medium Severity -
Configure vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is/etc/vsftpd.conf, if that file exists, or/etc/vsftpd/vsftpd.confif it does not.Group -
Configure Firewalls to Protect the FTP Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic,...Rule Unknown Severity -
Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applic...Group -
Configure PERL Securely
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from...Group -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this...Rule Unknown Severity -
Use vsftpd to Provide FTP Service if Necessary
If your use-case requires FTP service, install and set-up vsftpd to provide it.Group -
Web Server
The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...Group -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Disable httpd Service
Thehttpdservice can be disabled with the following command:$ sudo systemctl mask --now httpd.service
Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.