Oracle Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 file systems must not interpret character or block special devices that are imported via NFS.
<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Local OL 8 initialization files must not execute world-writable programs.
<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modi...Rule Medium Severity -
SRG-OS-000269-GPOS-00103
<GroupDescription></GroupDescription>Group -
OL 8 must disable kernel dumps unless needed.
<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a co...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations ...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
<GroupDescription></GroupDescription>Group -
YUM must remove all software components after updated versions have been installed on OL 8.
<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed m...Rule Low Severity -
SRG-OS-000445-GPOS-00199
<GroupDescription></GroupDescription>Group -
OL 8 must enable the SELinux targeted policy.
<VulnDiscussion>Without verification of the security functions, they may not operate correctly and the failure may go unnoticed. Security fun...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable the "kernel.core_pattern".
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable acquiring, saving, and processing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable core dumps for all users.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable storing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable core dump backtraces.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolut...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search t...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized us...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user home directories must have mode "0750" or less permissive.
<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be abl...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user accounts must be assigned a home directory upon creation.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local initialization files must have mode "0740" or less permissive.
<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these fil...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.