Skip to content
Log In

DRAFT - DISA STIG for Oracle Linux 9

Rules and Groups employed by this XCCDF Profile

  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> To make sure that the setting is...
    Rule Low Severity
    Show

  • Disable Kernel Image Loading

    To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kexec_load_disabled=1</pre> To make sure that the ...
    Rule Medium Severity
    Show

  • Disallow kernel profiling by unprivileged users

    To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> To make sure that the ...
    Rule Low Severity
    Show

  • Disable Access to Network bpf() Syscall From Unprivileged Processes

    To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre> To make su...
    Rule Medium Severity
    Show

  • Restrict usage of ptrace to descendant processes

    To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> To make sure that the sett...
    Rule Medium Severity
    Show

  • Harden the operation of the BPF just-in-time compiler

    To set the runtime status of the <code>net.core.bpf_jit_harden</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</pre> To make sure that the settin...
    Rule Medium Severity
    Show

  • Disable the use of user namespaces

    To set the runtime status of the <code>user.max_user_namespaces</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w user.max_user_namespaces=0</pre> To make sure that the set...
    Rule Medium Severity
    Show

  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...
    Group
    Show

  • Disable acquiring, saving, and processing core dumps

    The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
    Rule Medium Severity
    Show

  • Disable core dump backtraces

    The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in bytes of a core which will be processed. Core dump...
    Rule Medium Severity
    Show

  • Disable storing core dump

    The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
    Rule Medium Severity
    Show

  • Disable Core Dumps for All Users

    To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/limits.d/</code> directory: <pre>* hard core...
    Rule Medium Severity
    Show

  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
    Show

  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...
    Rule Medium Severity
    Show

  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...
    Rule Medium Severity
    Show

  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory.
    Group
    Show

  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>page_poison=1</code> is added ...
    Rule Medium Severity
    Show

  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> <...
    Rule Medium Severity
    Show

  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...
    Group
    Show

  • Install policycoreutils-python-utils package

    The policycoreutils-python-utils package can be installed with the following command: 
    $ sudo yum install policycoreutils-python-utils
    Rule Medium Severity
    Show

  • Install policycoreutils Package

    The policycoreutils package can be installed with the following command: 
    $ sudo yum install policycoreutils
    Rule Low Severity
    Show

  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...
    Rule Medium Severity
    Show

  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...
    Rule High Severity
    Show

  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 9 installs on a system and disable software which is n...
    Group
    Show

  • Base Services

    This section addresses the base services that are installed on a Oracle Linux 9 default installation which are not covered in other sections. Some of these services listen on the network and should...
    Group
    Show

  • Disable KDump Kernel Crash Analyzer (kdump)

    The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can lo...
    Rule Medium Severity
    Show

  • Cron and At Daemons

    The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may no...
    Group
    Show

  • Verify Group Who Owns cron.d

    To properly set the group owner of /etc/cron.d, run the command: 
    $ sudo chgrp root /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.daily

    To properly set the group owner of /etc/cron.daily, run the command: 
    $ sudo chgrp root /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.hourly

    To properly set the group owner of /etc/cron.hourly, run the command: 
    $ sudo chgrp root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.monthly

    To properly set the group owner of /etc/cron.monthly, run the command: 
    $ sudo chgrp root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.weekly

    To properly set the group owner of /etc/cron.weekly, run the command: 
    $ sudo chgrp root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Group Who Owns Crontab

    To properly set the group owner of /etc/crontab, run the command: 
    $ sudo chgrp root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Owner on cron.d

    To properly set the owner of /etc/cron.d, run the command: 
    $ sudo chown root /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Owner on cron.daily

    To properly set the owner of /etc/cron.daily, run the command: 
    $ sudo chown root /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Owner on cron.hourly

    To properly set the owner of /etc/cron.hourly, run the command: 
    $ sudo chown root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Owner on cron.monthly

    To properly set the owner of /etc/cron.monthly, run the command: 
    $ sudo chown root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Owner on cron.weekly

    To properly set the owner of /etc/cron.weekly, run the command: 
    $ sudo chown root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Owner on crontab

    To properly set the owner of /etc/crontab, run the command: 
    $ sudo chown root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Permissions on cron.d

    To properly set the permissions of /etc/cron.d, run the command: 
    $ sudo chmod 0700 /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Permissions on cron.daily

    To properly set the permissions of /etc/cron.daily, run the command: 
    $ sudo chmod 0700 /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Permissions on cron.hourly

    To properly set the permissions of /etc/cron.hourly, run the command: 
    $ sudo chmod 0700 /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.monthly

    To properly set the permissions of /etc/cron.monthly, run the command: 
    $ sudo chmod 0700 /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.weekly

    To properly set the permissions of /etc/cron.weekly, run the command: 
    $ sudo chmod 0700 /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Permissions on crontab

    To properly set the permissions of /etc/crontab, run the command: 
    $ sudo chmod 0600 /etc/crontab
    Rule Medium Severity
    Show

  • Application Whitelisting Daemon

    Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applicat...
    Group
    Show

  • Install fapolicyd Package

    The fapolicyd package can be installed with the following command: 
    $ sudo yum install fapolicyd
    Rule Medium Severity
    Show

  • Enable the File Access Policy Service

    The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command: 
    $ sudo systemctl enable fapolicyd.service
    Rule Medium Severity
    Show

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...
    Group
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules