Skip to content

DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Rules and Groups employed by this XCCDF Profile

  • Configure tmux to lock session after inactivity

    To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option has to be set to a value greater than 0 and less tha...
    Rule Medium Severity
  • Configure the tmux Lock Command

    To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locking mechanism. Add the following line to <code>/etc...
    Rule Medium Severity
  • Prevent user from disabling the screen lock

    The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
    Rule Low Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...
    Group
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...
    Group
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...
    Rule High Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...
    Group
  • Enforce usage of pam_wheel for su authentication

    To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> command, make sure that the following line exists in t...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...
    Group
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules