Guide to the Secure Configuration of Anolis OS 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Group Who Owns cron.hourly
To properly set the group owner of/etc/cron.hourly, run the command:$ sudo chgrp root /etc/cron.hourly
Rule Medium Severity -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Anolis OS 8 includes software that enables a system to act as both an LDAP client...Group -
Verify Group Who Owns Crontab
To properly set the group owner of/etc/crontab, run the command:$ sudo chgrp root /etc/crontab
Rule Medium Severity -
SSH session Idle time
Specify duration of allowed idle time.Value -
Uninstall the telnet server
The telnet daemon should be uninstalled.Rule High Severity -
Verify Owner on cron.daily
To properly set the owner of/etc/cron.daily, run the command:$ sudo chown root /etc/cron.daily
Rule Medium Severity -
Verify Owner on cron.hourly
To properly set the owner of/etc/cron.hourly, run the command:$ sudo chown root /etc/cron.hourly
Rule Medium Severity -
Verify Owner on cron.monthly
To properly set the owner of/etc/cron.monthly, run the command:$ sudo chown root /etc/cron.monthly
Rule Medium Severity -
Verify Owner on cron.weekly
To properly set the owner of/etc/cron.weekly, run the command:$ sudo chown root /etc/cron.weekly
Rule Medium Severity -
Verify Owner on crontab
To properly set the owner of/etc/crontab, run the command:$ sudo chown root /etc/crontab
Rule Medium Severity -
Verify Permissions on cron.daily
To properly set the permissions of/etc/cron.daily, run the command:$ sudo chmod 0700 /etc/cron.daily
Rule Medium Severity -
Verify Permissions on cron.hourly
To properly set the permissions of/etc/cron.hourly, run the command:$ sudo chmod 0700 /etc/cron.hourly
Rule Medium Severity -
Verify Permissions on cron.monthly
To properly set the permissions of/etc/cron.monthly, run the command:$ sudo chmod 0700 /etc/cron.monthly
Rule Medium Severity -
Verify Permissions on cron.weekly
To properly set the permissions of/etc/cron.weekly, run the command:$ sudo chmod 0700 /etc/cron.weekly
Rule Medium Severity -
Verify Permissions on crontab
To properly set the permissions of/etc/crontab, run the command:$ sudo chmod 0600 /etc/crontab
Rule Medium Severity -
Configure DHCP Client if Necessary
If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP s...Group -
SSH Max authentication attempts
Specify the maximum number of authentication attempts per connection.Value -
Ensure that /etc/at.deny does not exist
The file/etc/at.denyshould not exist. Use/etc/at.allowinstead.Rule Medium Severity -
Ensure that /etc/cron.deny does not exist
The file/etc/cron.denyshould not exist. Use/etc/cron.allowinstead.Rule Medium Severity -
Verify Group Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chgrp root /etc/at.al...Rule Medium Severity -
Verify Group Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chgrp root /etc/c...Rule Medium Severity -
Verify User Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chown root /etc/at.allow </pre> ...Rule Medium Severity -
Verify User Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chown root /etc/cron.allow </...Rule Medium Severity -
Verify Permissions on /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/at.allow</code>, run the command: <pre>$ sudo c...Rule Medium Severity -
Verify Permissions on /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/cron.allow</code>, run the command: <pre>$ su...Rule Medium Severity -
Deprecated services
Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated...Group -
Uninstall the inet-based telnet server
The inet-based telnet daemon should be uninstalled.Rule High Severity -
Uninstall the nis package
The support for Yellowpages should not be installed unless it is required.Rule Low Severity -
Uninstall the ntpdate package
ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.Rule Low Severity -
Uninstall the ssl compliant telnet server
Thetelnetdaemon, even with ssl support, should be uninstalled.Rule High Severity -
Configure DHCP Server
If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless...Group -
Minimize Served Information
Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information ...Rule Unknown Severity -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Disable DHCP Service
The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be disabled with the following command: <pre>$ sudo s...Rule Medium Severity -
DNS Server
Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any ...Group -
Disable DNS Server
DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on Anolis OS 8 by default. The remainder of this secti...Group -
Uninstall bind Package
Thenamedservice is provided by thebindpackage. Thebindpackage can be removed with the following command:$ sudo yum erase bind
Rule Low Severity -
Disable named Service
Thenamedservice can be disabled with the following command:$ sudo systemctl mask --now named.service
Rule Medium Severity -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applicat...Group -
fapolicyd Must be Configured to Limit Access to Users Home Folders
fapolicyd needs be configured so that users cannot give access to their home folders to other users.Rule Medium Severity -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Disable vsftpd Service
Thevsftpdservice can be disabled with the following command:$ sudo systemctl mask --now vsftpd.service
Rule Medium Severity -
Configure vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is/etc/vsftpd.conf, if that file exists, or/etc/vsftpd/vsftpd.confif it does not.Group -
Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only...Group -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Disable httpd Service
Thehttpdservice can be disabled with the following command:$ sudo systemctl mask --now httpd.service
Rule Unknown Severity -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...Group -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules