DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Rules and Groups employed by this XCCDF Profile
-
Install dnf-automatic Package
Thednf-automaticpackage can be installed with the following command:$ sudo yum install dnf-automatic
Rule Medium Severity -
Configure dnf-automatic to Install Available Updates Automatically
To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]...Rule Medium Severity -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the ...Rule High Severity -
Ensure gpgcheck Enabled for Local Packages
<code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify signatures of local packages, set the <code>localpk...Rule High Severity -
Ensure gpgcheck Enabled for All yum Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in/etc/yum.repos.dof the form:gpgcheck=0
Rule High Severity -
Ensure Oracle Linux GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Oracle (and to connect to the Unbreakable Linux Network to receive them), the Oracle GPG key must properly be inst...Rule High Severity -
Enable dnf-automatic Timer
Thednf-automatictimer can be enabled with the following command:$ sudo systemctl enable dnf-automatic.timer
Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...Group -
Enable authselect
Configure user authentication setup to use the <code>authselect</code> tool. If authselect profile is selected, the rule will enable the <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...Group -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...Group -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple entries in pam files. Th...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of incorrect login attempts within a specified time peri...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_faillock.so</code>. Ensure that the file <code>/etc/s...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be requ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.