DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Rules and Groups employed by this XCCDF Profile
-
Disable acquiring, saving, and processing core dumps
The <code>systemd-coredump.socket</code> unit is a socket activation of the <code>systemd-coredump@.service</code> which processes core dumps. By m...Rule Medium Severity -
Disable core dump backtraces
The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in ...Rule Medium Severity -
Disable storing core dump
The <code>Storage</code> option in <code>[Coredump]</code> sectionof <code>/etc/systemd/coredump.conf</code> can be set to <code>none</code> to dis...Rule Medium Severity -
Disable Core Dumps for All Users
To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...Rule Medium Severity -
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...Group -
Install policycoreutils-python-utils package
The <code>policycoreutils-python-utils</code> package can be installed with the following command: <pre> $ sudo yum install policycoreutils-python-...Rule Medium Severity -
Install policycoreutils Package
Thepolicycoreutilspackage can be installed with the following command:$ sudo yum install policycoreutils
Rule Low Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 9 in...Group -
Base Services
This section addresses the base services that are installed on a Oracle Linux 9 default installation which are not covered in other sections. Some ...Group -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...Rule Medium Severity -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...Group -
Install fapolicyd Package
Thefapolicydpackage can be installed with the following command:$ sudo yum install fapolicyd
Rule Medium Severity -
Enable the File Access Policy Service
The File Access Policy service should be enabled. The <code>fapolicyd</code> service can be enabled with the following command: <pre>$ sudo system...Rule Medium Severity -
Kerberos
The Kerberos protocol is used for authentication across non-secure network. Authentication can happen between various types of principals -- users,...Group -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.