Skip to content
Log In

DRAFT - Protection Profile for General Purpose Operating Systems

Rules and Groups employed by this XCCDF Profile

  • Configure auditing of unsuccessful permission changes

    Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pre>## Unsuccessful permission change -a always,exit...
    Rule Medium Severity
    Show

  • Configure auditing of successful permission changes

    Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: <pre>## Successful permission change -a always,ex...
    Rule Medium Severity
    Show

  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...
    Group
    Show

  • Configure kernel to trust the CPU random number generator

    There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel compilation, e.g. the option <code>CONFIG_RANDOM_...
    Rule Medium Severity
    Show

  • Enable Kernel Page-Table Isolation (KPTI)

    To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>pti=on</code> is added as a kerne...
    Rule Low Severity
    Show

  • Disable vsyscalls

    To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>vsyscall=none</code> is added...
    Rule Medium Severity
    Show

  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
    Show

  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...
    Rule High Severity
    Show

  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...
    Group
    Show

  • Ensure rsyslog-gnutls is installed

    TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command: 
    $ sudo yum install rsyslog-gnutls
    Rule Medium Severity
    Show

  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
     $ sudo yum install rsyslog
    Rule Medium Severity
    Show

  • Rsyslog Logs Sent To Remote Host

    If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log e...
    Group
    Show

  • Configure TLS for rsyslog remote logging

    Configure <code>rsyslog</code> to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in <code>/etc/rsyslog.conf</code> using action. You can us...
    Rule Medium Severity
    Show

  • Configure CA certificate for rsyslog remote logging

    Configure CA certificate for <code>rsyslog</code> logging to remote server using Transport Layer Security (TLS) using correct path for the <code>DefaultNetstreamDriverCAFile</code> global option in...
    Rule Medium Severity
    Show

  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
    Show

  • firewalld

    The dynamic firewall daemon <code>firewalld</code> provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections an...
    Group
    Show

  • Inspect and Activate Default firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. <code>NetworkManager</code>...
    Group
    Show

  • Install firewalld Package

    The firewalld package can be installed with the following command: 
    $ sudo yum install firewalld
    Rule Medium Severity
    Show

  • Verify firewalld Enabled

    The firewalld service can be enabled with the following command: 
    $ sudo systemctl enable firewalld.service
    Rule Medium Severity
    Show

  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules