Skip to content
Log In

DRAFT - DISA STIG for Oracle Linux 9

Rules and Groups employed by this XCCDF Profile

  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command: 
     $ sudo yum erase vsftpd
    Rule High Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
    Show

  • Uninstall Sendmail Package

    Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo yum erase sendmail</pre> ...
    Rule Medium Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...
    Rule Medium Severity
    Show

  • Configure System to Forward All Mail From Postmaster to The Root Account

    Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...
    Rule Medium Severity
    Show

  • Configure Operating System to Protect Mail Server

    The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software.
    Group
    Show

  • Configure Postfix if Necessary

    Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf.
    Group
    Show

  • Control Mail Relaying

    Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient env...
    Group
    Show

  • Prevent Unrestricted Mail Relaying

    Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetwork...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Uninstall nfs-utils Package

    The nfs-utils package can be removed with the following command: 
    $ sudo yum erase nfs-utils
    Rule Low Severity
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...
    Group
    Show

  • Mount Remote Filesystems with Kerberos Security

    Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with nodev

    Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with noexec

    Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with nosuid

    Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...
    Rule Medium Severity
    Show

  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information o...
    Rule Medium Severity
    Show

  • Disable chrony daemon from acting as server

    The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port for server operation and to operate strictly in a c...
    Rule Low Severity
    Show

  • Disable network management of chrony daemon

    The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
    Rule Low Severity
    Show

  • Configure Time Service Maxpoll Interval

    The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...
    Rule Medium Severity
    Show

  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Uninstall rsh-server Package

    The rsh-server package can be removed with the following command: 
    $ sudo yum erase rsh-server
    Rule High Severity
    Show

  • Remove Host-Based Authentication Files

    The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: <pre>$ sudo ...
    Rule High Severity
    Show

  • Remove User Host-Based Authentication Files

    The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them fr...
    Rule High Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...
    Group
    Show

  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command: 
    $ sudo yum erase telnet-server
    Rule High Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo yum erase tftp-server
    Rule High Severity
    Show

  • Ensure tftp Daemon Uses Secure Mode

    If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the <code>tftp</code> systemd...
    Rule Medium Severity
    Show

  • Network Routing

    A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to network segments, gateways to other networks, filt...
    Group
    Show

  • Disable Quagga if Possible

    If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.
    Group
    Show

  • Uninstall quagga Package

    The quagga package can be removed with the following command: 
     $ sudo yum erase quagga
    Rule Low Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Install OpenSSH client software

    The openssh-clients package can be installed with the following command: 
    $ sudo yum install openssh-clients
    Rule Medium Severity
    Show

  • Install the OpenSSH Server Package

    The openssh-server package should be installed. The openssh-server package can be installed with the following command: 
    $ sudo yum install openssh-server
    Rule Medium Severity
    Show

  • Enable the OpenSSH Service

    The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: 
    $ sudo systemctl enable sshd.service
    Rule Medium Severity
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command: 
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
    Show

  • Configure OpenSSH Client if Necessary

    The following configuration changes apply to the SSH client. They can improve security parameters relwevant to the client user, e.g. increasing entropy while generating initialization vectors. Note...
    Group
    Show

  • Verify the SSH Private Key Files Have a Passcode

    When creating SSH key pairs, always use a passcode. <br> You can create such keys with the following command: <pre>$ sudo ssh-keygen -n [passphrase]</pre> Oracle Linux 9, for certificate-based auth...
    Rule Medium Severity
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules