Guide to the Secure Configuration of Anolis OS 23
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Postfix Network Interfaces
The setting for inet_interfaces in /etc/postfix/main.cfValue -
Postfix relayhost
Specify the host all outbound email should be routed into.Value -
Postfix Root Mail Alias
Specify an email address (string) for a root mail alias.Value -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Configure System to Forward All Mail through a specific host
Set up a relay host that will act as a gateway for all outbound email. Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>relayhost</code> line appears: <pre>re...Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...Group -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.Group -
Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre> If the command did not re...Group -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with elevated privileges, and many listen for network connections. I...Group -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...Group -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash</code> option from the file <code>/etc/exports</co...Rule Low Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
Ensure Chrony is only configured with the server directive
Check that Chrony only has time sources configured with theserverdirective.Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Ensure rsyncd service is disabled
Thersyncdservice can be disabled with the following command:$ sudo systemctl mask --now rsyncd.service
Rule Medium Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Print Support
The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send t...Group -
Disable the CUPS Service
Thecupsservice can be disabled with the following command:$ sudo systemctl mask --now cups.service
Rule Unknown Severity -
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Disable Squid
Thesquidservice can be disabled with the following command:$ sudo systemctl mask --now squid.service
Rule Unknown Severity -
Samba(SMB) Microsoft Windows File Sharing Server
When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...Group -
Disable Samba if Possible
Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing fun...Group -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...Group -
Disable snmpd Service
Thesnmpdservice can be disabled with the following command:$ sudo systemctl mask --now snmpd.service
Rule Low Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
SSH session Idle time
Specify duration of allowed idle time.Value -
SSH Max authentication attempts
Specify the maximum number of authentication attempts per connection.Value -
SSH Max Sessions Count
Specify the maximum number of open sessions permitted.Value -
SSH Max Keep Alive Count
Specify the maximum number of idle message counts before session is terminated.Value -
Install the OpenSSH Server Package
Theopenssh-serverpackage should be installed. Theopenssh-serverpackage can be installed with the following command:$ sudo yum install openssh-server
Rule Medium Severity -
Remove the OpenSSH Server Package
Theopenssh-serverpackage should be removed. Theopenssh-serverpackage can be removed with the following command:$ sudo yum erase openssh-server
Rule Medium Severity -
Disable SSH Server If Possible
The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.Rule High Severity -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules