Skip to content

Guide to the Secure Configuration of Anolis OS 8

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity
  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Ensure rsyncd service is disabled

    The rsyncd service can be disabled with the following command:
    $ sudo systemctl mask --now rsyncd.service
    Rule Medium Severity
  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...
    Group
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group
  • Disable ypserv Service

    The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> s...
    Rule Medium Severity
  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...
    Rule High Severity
  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...
    Group
  • TFTP server secure directory

    Specify the directory which is used by TFTP server as a root directory when running in secure mode.
    Value

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules