Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Rules and Groups employed by this XCCDF Profile
-
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character...Rule Medium Severity -
Set Password Maximum Consecutive Repeating Characters
The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive numb...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...Rule Medium Severity -
Disable Ctrl-Alt-Del Burst Action
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...Rule High Severity -
Disable Ctrl-Alt-Del Reboot Activation
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system ...Rule High Severity -
Verify that Interactive Boot is Disabled
Oracle Linux 7 systems support an "interactive boot" option that can be used to prevent services from being started. On a Oracle Linux 7 system, in...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the in...Group -
Install the screen Package
To enable console screen locking, install the <code>screen</code> package. The <code>screen</code> package can be installed with the following comm...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...Group -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PA...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.