Guide to the Secure Configuration of UnionTech OS Server 20
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Kernel panic timeout
The time, in seconds, to wait until a reboot occurs. If the value is0the system never reboots. If the value is less than0the system reboots immediately.Value -
Do not allow ACPI methods to be inserted/replaced at run time
This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build k...Rule Low Severity -
Disable kernel support for MISC binaries
Enabling <code>CONFIG_BINFMT_MISC</code> makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Py...Rule Medium Severity -
Enable support for BUG()
Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this...Rule Medium Severity -
Disable the 32-bit vDSO
Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting <code>CONFIG_COMPAT_VDSO</code>...Rule Low Severity -
Enable checks on credential management
Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that th...Rule Low Severity -
Disable kernel debugfs
<code>debugfs</code> is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files. The configuration that was use...Rule Low Severity -
Enable checks on linked list manipulation
Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configurat...Rule Low Severity -
Enable checks on notifier call chains
Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. The config...Rule Low Severity -
Enable checks on scatter-gather (SG) table operations
Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The configuration that was used to build kernel is availab...Rule Low Severity -
Disable /dev/kmem virtual device support
Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CONFIG_DEVKMEM...Rule Low Severity -
Disable hibernation
Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on reboot. The ...Rule Medium Severity -
Disable IA32 emulation
Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value...Rule Medium Severity -
Disable the IPv6 protocol
Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CONFIG_IPV6</co...Rule Medium Severity -
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And l...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern ptys (devpts) interface. The configuration that ...Rule Medium Severity -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The conf...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available a...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for...Rule Medium Severity -
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"></xccdf-1.2:sub> as the hash func...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules