Guide to the Secure Configuration of openEuler 2203
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Configure auditd admin_space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Enable seccomp to safely compute untrusted bytecode
This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes ...Rule Medium Severity -
Ensure rsyslog Default File Permissions Configured
rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly create...Rule Medium Severity -
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo dnf install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the fil...Rule Medium Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...Group -
The system-provided crypto policies
Specify the crypto policy for the system.Value -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
net.ipv4.conf.default.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.