Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Rules and Groups employed by this XCCDF Profile
-
Configure auditing of unsuccessful permission changes
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pr...Rule Medium Severity -
Configure auditing of successful permission changes
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above:...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
Configure kernel to trust the CPU random number generator
There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel...Rule Medium Severity -
Enable Kernel Page-Table Isolation (KPTI)
To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To e...Rule Low Severity -
Disable vsyscalls
To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. ...Rule Medium Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...Group -
Ensure rsyslog-gnutls is installed
TLS protocol support for rsyslog is installed. The <code>rsyslog-gnutls</code> package can be installed with the following command: <pre> $ sudo y...Rule Medium Severity -
Ensure rsyslog is Installed
Rsyslog is installed by default. Thersyslogpackage can be installed with the following command:$ sudo yum install rsyslog
Rule Medium Severity -
Rsyslog Logs Sent To Remote Host
If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised...Group -
Configure TLS for rsyslog remote logging
Configure <code>rsyslog</code> to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in <code...Rule Medium Severity -
Configure CA certificate for rsyslog remote logging
Configure CA certificate for <code>rsyslog</code> logging to remote server using Transport Layer Security (TLS) using correct path for the <code>De...Rule Medium Severity -
Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...Group -
firewalld
The dynamic firewall daemon <code>firewalld</code> provides a dynamically managed firewall with support for network “zones” to assign a level of tr...Group -
Inspect and Activate Default firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffi...Group -
Install firewalld Package
Thefirewalldpackage can be installed with the following command:$ sudo yum install firewalld
Rule Medium Severity -
Verify firewalld Enabled
Thefirewalldservice can be enabled with the following command:$ sudo systemctl enable firewalld.service
Rule Medium Severity -
IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.