Guide to the Secure Configuration of openEuler 2203
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...Rule Medium Severity -
Enable the NTP Daemon
Thentpdservice can be enabled with the following command:$ sudo systemctl enable ntpd.service
Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Configure server restrictions for ntpd
ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use ...Rule Medium Severity -
Specify a Remote NTP Server
To specify a remote NTP server for time synchronization, edit the file <code>/etc/ntp.conf</code>. Add or correct the following lines, substituting...Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Action for auditd to take when disk space just starts to run low
The setting for space_left_action in /etc/audit/auditd.confValue -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...Group -
Remove tftp Daemon
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files betw...Rule Low Severity -
DNS Server
Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...Group -
Disable DNS Server
DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on o...Group -
Samba(SMB) Microsoft Windows File Sharing Server
When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two soft...Group -
SSH Max authentication attempts
Specify the maximum number of authentication attempts per connection.Value -
SSH Strong KEX by FIPS
Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms that are used for methods in cryptography by which cryptographic keys are exch...Value -
SSH Strong MACs by FIPS
Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.Value -
SSH Max Sessions Count
Specify the maximum number of open sessions permitted.Value -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
SSH LoginGraceTime setting
Configure parameters for how long the servers stays connected before the user has successfully logged inValue -
SSH MaxStartups setting
Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.Value -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...Group -
Record Information on the Use of Privileged Commands
At a minimum, the audit system should collect the execution of privileged commands for all users and root.Group -
Verify Permissions on Files with Local Account Information and Credentials
The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>gro...Group -
Verify Group Who Owns Backup gshadow File
To properly set the group owner of/etc/gshadow-, run the command:$ sudo chgrp root /etc/gshadow-
Rule Medium Severity -
Verify Group Who Owns shadow File
To properly set the group owner of/etc/shadow, run the command:$ sudo chgrp root /etc/shadow
Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforce for root User
The pam_pwquality module's <code>enforce_for_root</code> parameter controls requirements for enforcing password complexity for the root user. Enabl...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group ID
Change the group name or delete groups, so each has a unique id.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group Names
Change the group name or delete groups, so each has a unique name.Rule Medium Severity -
Verify Permissions on gshadow File
To properly set the permissions of/etc/gshadow, run the command:$ sudo chmod 0000 /etc/gshadow
Rule Medium Severity -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...Rule Medium Severity -
Verify No .forward Files Exist
The.forwardfile specifies an email address to forward the user's mail to.Rule Medium Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...Rule Medium Severity -
Restrict Partition Mount Options
System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...Group -
Sensible umask
Enter default user umaskValue -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...Group -
Removable Partition
This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable...Value -
Add nodev Option to Removable Media Partitions
The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices sho...Rule Medium Severity -
Add noexec Option to Removable Media Partitions
The <code>noexec</code> mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binari...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Configure auditd admin_space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Enable seccomp to safely compute untrusted bytecode
This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes ...Rule Medium Severity -
Ensure rsyslog Default File Permissions Configured
rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly create...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.