DRAFT - Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo yum install aide
Rule Medium Severity -
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working g...Group -
Enable Dracut FIPS Module
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> ...Rule High Severity -
Enable FIPS Mode
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> <br> The <code>fips-mode-setup</code> command will configure t...Rule High Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...Group -
Install crypto-policies package
Thecrypto-policiespackage can be installed with the following command:$ sudo yum install crypto-policies
Rule Medium Severity -
Configure BIND to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND confi...Rule High Severity -
Configure System Cryptography Policy
To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_...Rule High Severity -
Configure Kerberos to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's confi...Rule High Severity -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but th...Rule High Severity -
Configure OpenSSL library to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL...Rule Medium Severity -
Configure SSH to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configu...Rule Medium Severity -
OpenSSL uses strong entropy source
By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is t...Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the <code>/var/log</code> directory. Ensure that <code>/var/log</code> has its own partition or logical volume at instal...Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...Rule Low Severity -
Ensure /var/tmp Located On Separate Partition
The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volum...Rule Medium Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Install sudo Package
Thesudopackage can be installed with the following command:$ sudo yum install sudo
Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Ensure gnutls-utils is installed
Thegnutls-utilspackage can be installed with the following command:$ sudo yum install gnutls-utils
Rule Medium Severity -
Install openscap-scanner Package
Theopenscap-scannerpackage can be installed with the following command:$ sudo yum install openscap-scanner
Rule Medium Severity -
Install scap-security-guide Package
Thescap-security-guidepackage can be installed with the following command:$ sudo yum install scap-security-guide
Rule Medium Severity -
Uninstall abrt-addon-ccpp Package
Theabrt-addon-ccpppackage can be removed with the following command:$ sudo yum erase abrt-addon-ccpp
Rule Low Severity -
Uninstall abrt-addon-kerneloops Package
Theabrt-addon-kerneloopspackage can be removed with the following command:$ sudo yum erase abrt-addon-kerneloops
Rule Low Severity -
Uninstall abrt-cli Package
Theabrt-clipackage can be removed with the following command:$ sudo yum erase abrt-cli
Rule Low Severity -
Uninstall abrt-plugin-sosreport Package
Theabrt-plugin-sosreportpackage can be removed with the following command:$ sudo yum erase abrt-plugin-sosreport
Rule Low Severity -
Uninstall gssproxy Package
Thegssproxypackage can be removed with the following command:$ sudo yum erase gssproxy
Rule Medium Severity -
Uninstall iprutils Package
Theiprutilspackage can be removed with the following command:$ sudo yum erase iprutils
Rule Medium Severity -
Uninstall krb5-workstation Package
Thekrb5-workstationpackage can be removed with the following command:$ sudo yum erase krb5-workstation
Rule Medium Severity -
Uninstall libreport-plugin-logger Package
Thelibreport-plugin-loggerpackage can be removed with the following command:$ sudo yum erase libreport-plugin-logger
Rule Low Severity -
Uninstall libreport-plugin-rhtsupport Package
The <code>libreport-plugin-rhtsupport</code> package can be removed with the following command: <pre> $ sudo yum erase libreport-plugin-rhtsupport<...Rule Low Severity -
Updating Software
The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Install dnf-automatic Package
Thednf-automaticpackage can be installed with the following command:$ sudo yum install dnf-automatic
Rule Medium Severity -
Configure dnf-automatic to Install Available Updates Automatically
To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates...Rule Medium Severity -
Configure dnf-automatic to Install Only Security Updates
To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> unde...Rule Low Severity -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check pack...Rule High Severity -
Ensure gpgcheck Enabled for Local Packages
<code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify s...Rule High Severity -
Ensure gpgcheck Enabled for All yum Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Ensure Oracle Linux GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Oracle (and to connect to the Unbreakable Linux Network to recei...Rule High Severity -
Enable dnf-automatic Timer
Thednf-automatictimer can be enabled with the following command:$ sudo systemctl enable dnf-automatic.timer
Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.