Oracle Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent special devices on non-root local partitions.
<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 file systems must not interpret character or block special devices from untrusted file systems.
<VulnDiscussion>The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 file systems must not execute binary files on removable media.
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 file systems must not interpret character or block special devices that are imported via NFS.
<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Local OL 8 initialization files must not execute world-writable programs.
<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modi...Rule Medium Severity -
SRG-OS-000269-GPOS-00103
<GroupDescription></GroupDescription>Group -
OL 8 must disable kernel dumps unless needed.
<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a co...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable the "kernel.core_pattern".
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable acquiring, saving, and processing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable core dumps for all users.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable storing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must disable core dump backtraces.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolut...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search t...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized us...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be abl...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.