Skip to content

Guide to the Secure Configuration of Anolis OS 8

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure nss-tools is installed

    The nss-tools package can be installed with the following command:
    $ sudo yum install nss-tools
    Rule Medium Severity
  • Updating Software

    The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administration...
    Group
  • Ensure Red Hat GPG Key Installed

    To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. T...
    Rule High Severity
  • Ensure Software Patches Installed



    NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
    Rule Medium Severity
  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...
    Group
  • Authselect profile

    Specify the authselect profile to select
    Value
  • Verify ownership of Message of the Day Banner

    To properly set the owner of /etc/motd, run the command:
    $ sudo chown root /etc/motd 
    Rule Medium Severity
  • Login Banner Verbiage

    Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escap...
    Value
  • MotD Banner Verbiage

    Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escap...
    Value
  • Modify the System Message of the Day Banner

    To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is eit...
    Rule Medium Severity
  • Verify Group Ownership of System Login Banner

    To properly set the group owner of /etc/issue, run the command:
    $ sudo chgrp root /etc/issue
    Rule Medium Severity
  • Verify Group Ownership of Message of the Day Banner

    To properly set the group owner of /etc/motd, run the command:
    $ sudo chgrp root /etc/motd
    Rule Medium Severity
  • Verify ownership of System Login Banner

    To properly set the owner of /etc/issue, run the command:
    $ sudo chown root /etc/issue 
    Rule Medium Severity
  • Verify permissions on Message of the Day Banner

    To properly set the permissions of /etc/motd, run the command:
    $ sudo chmod 0644 /etc/motd
    Rule Medium Severity
  • Password Hashing algorithm

    Specify the system default encryption algorithm for encrypting passwords. Defines the value set as ENCRYPT_METHOD in /etc/login.defs.
    Value
  • remember

    The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from alternating between the same password too frequen...
    Value
  • Disallow Configuration to Bypass Password Requirements for Privilege Escalation

    Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: <pre>$ sudo...
    Rule Medium Severity
  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...
    Group
  • fail_deny

    Number of failed login attempts before account lockout
    Value
  • fail_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
  • tally2_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
  • Limit Password Reuse: system-auth

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...
    Rule Medium Severity
  • Account Lockouts Must Be Logged

    PAM faillock locks an account due to excessive password failures, this event must be logged.
    Rule Medium Severity
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...
    Group
  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...
    Group
  • dcredit

    Minimum number of digits in password
    Value
  • lcredit

    Minimum number of lower case in password
    Value
  • minclass

    Minimum number of categories of characters that must exist in a password
    Value
  • minlen

    Minimum number of characters in password
    Value
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

    To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...
    Group
  • Require Authentication for Emergency Systemd Target

    Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> <br> By default, Emergency mode is protected by...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...
    Group
  • Ensure All Accounts on the System Have Unique User IDs

    Change user IDs (UIDs), or delete accounts, so each has a unique name.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group ID

    Change the group name or delete groups, so each has a unique id.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group Names

    Change the group name or delete groups, so each has a unique name.
    Rule Medium Severity
  • number of days after a password expires until the account is permanently disabled

    The number of days to wait after a password expires, until the account will be permanently disabled.
    Value
  • Ensure All Accounts on the System Have Unique Names

    Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre> If a usernam...
    Rule Medium Severity
  • Use Centralized and Automated Authentication

    Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user managemen...
    Rule Medium Severity
  • maximum password age

    Maximum age of password in days
    Value
  • minimum password age

    Minimum age of password in days
    Value
  • minimum password length

    Minimum number of characters in password
    Value
  • warning days before password expires

    The number of days' warning given before a password expires.
    Value
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...
    Rule Medium Severity
  • Set Password Minimum Length in login.defs

    To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...
    Rule Medium Severity
  • Set Existing Passwords Minimum Age

    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
    $ sudo chage -m 1 USER
             
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules