Oracle Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OL 8 operating systems must require authentication upon booting into rescue mode.
<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes em...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
OL 8 operating systems must require authentication upon booting into emergency mode.
<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes em...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
<GroupDescription></GroupDescription>Group -
The OL 8 "pam_unix.so" module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
<GroupDescription></GroupDescription>Group -
The OL 8 "pam_unix.so" module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
<GroupDescription></GroupDescription>Group -
OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
OL 8 must prevent system daemons from using Kerberos for authentication.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
<GroupDescription></GroupDescription>Group -
The krb5-workstation package must not be installed on OL 8.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
<GroupDescription></GroupDescription>Group -
The krb5-server package must not be installed on OL 8.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
<GroupDescription></GroupDescription>Group -
OL 8 must use a Linux Security Module configured to enforce limits on system services.
<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
<GroupDescription></GroupDescription>Group -
OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
OL 8 systems below version 8.2 must ensure account lockouts persist.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
OL 8 must have the "policycoreutils" package installed.
<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed...Rule Low Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
The OL 8 SSH daemon must be configured to use system-wide crypto policies.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote acce...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
<GroupDescription></GroupDescription>Group -
OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote acc...Rule Medium Severity -
SRG-OS-000250-GPOS-00093
<GroupDescription></GroupDescription>Group -
SRG-OS-000259-GPOS-00100
<GroupDescription></GroupDescription>Group -
OL 8 library files must be owned by root.
<VulnDiscussion>If OL 8 were to allow any user to make changes to software libraries, those changes might be implemented without undergoing t...Rule Medium Severity -
SRG-OS-000259-GPOS-00100
<GroupDescription></GroupDescription>Group -
OL 8 library files must be group-owned by root.
<VulnDiscussion>If OL 8 were to allow any user to make changes to software libraries, those changes might be implemented without undergoing t...Rule Medium Severity -
SRG-OS-000363-GPOS-00150
<GroupDescription></GroupDescription>Group -
OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
The OL 8 file integrity tool must notify the System Administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized ...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must restrict privilege elevation to authorized personnel.
<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their pa...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must use the invoking user's password for privilege escalation when using "sudo".
<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authe...Rule Medium Severity -
SRG-OS-000373-GPOS-00156
<GroupDescription></GroupDescription>Group -
OL 8 must require re-authentication when using the "sudo" command.
<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When opera...Rule Medium Severity -
SRG-OS-000375-GPOS-00160
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.