Guide to the Secure Configuration of Anolis OS 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify that Shared Library Files Have Restrictive Permissions
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by ...Rule Medium Severity -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...Group -
Disable the Automounter
The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be...Rule Medium Severity -
Restrict Partition Mount Options
System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...Group -
Value for hidepid option
The hidepid mount option is applicable to /proc and is used to control who can access the information in /proc/[pid] directories. The option can ha...Value -
Removable Partition
This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable...Value -
Add nodev Option to /dev/shm
The <code>nodev</code> mount option can be used to prevent creation of device files in <code>/dev/shm</code>. Legitimate character and block device...Rule Medium Severity -
Add nosuid Option to /dev/shm
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/dev/shm</code>. The SUID and SGID permissions s...Rule Medium Severity -
Verify Permissions on Important Files and Directories Are Configured in /etc/permissions.local
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses the ...Group -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
kernel.unprivileged_bpf_disabled
Prevent unprivileged processes from using the bpf() syscall.Value -
Disable the uvcvideo module
If the device contains a camera it should be covered or disabled when not in use.Rule Medium Severity -
Kernel panic on oops
To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_...Rule Medium Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...Rule Medium Severity -
ftpd_use_fusefs SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...Rule Medium Severity -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.