Skip to content

DRAFT - Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...
    Rule Low Severity
  • Disable Kernel Image Loading

    To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel....
    Rule Medium Severity
  • Restrict usage of ptrace to descendant processes

    To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.ya...
    Rule Medium Severity
  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...
    Group
  • Disable Core Dumps for All Users

    To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/...
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...
    Group
  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...
    Rule Medium Severity
  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of info...
    Group
  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. T...
    Rule Medium Severity
  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 7 in...
    Group
  • Base Services

    This section addresses the base services that are installed on a Oracle Linux 7 default installation which are not covered in other sections. Some ...
    Group
  • Uninstall Automatic Bug Reporting Tool (abrt)

    The Automatic Bug Reporting Tool (<code>abrt</code>) collects and reports crash data when an application crash is detected. Using a variety of plug...
    Rule Medium Severity
  • Disable KDump Kernel Crash Analyzer (kdump)

    The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...
    Rule Medium Severity
  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...
    Group
  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules