DRAFT - DISA STIG for Oracle Linux 9
Rules and Groups employed by this XCCDF Profile
-
Generate USBGuard Policy
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration m...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is u...Group -
Disable graphical user interface
By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</code> If X Win...Rule Medium Severity -
Disable X Windows Startup By Setting Default Target
Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accidental booting of the system into a <code>graphical.ta...Rule Medium Severity -
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.forwarding=0</pre> To make sure that ...Rule Medium Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
Configure AIDE to Use FIPS 140-2 for Validating Hashes
By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code> option is missing, add <code>sha512</code> to th...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_logind_session_timeout" use="legacy"></xccdf-1.2:sub>...Rule Medium Severity -
Support session locking with tmux (not enforcing)
Thetmuxterminal multiplexer is used to implement automatic session locking. It should be started from/etc/bashrcor drop-in files within/etc/profile.d/.Rule Medium Severity -
Configure the tmux lock session key binding
To set a key binding for the screen locking in <code>tmux</code> terminal multiplexer, the <code>session-lock</code> command must be bound to a key. Add the following line to <code>/etc/tmux.conf</...Rule Low Severity -
NetworkManager DNS Mode Must Be Must Configured
The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.Rule Medium Severity -
Add nosuid Option to /boot/efi
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/boot/efi</code>. The SUID and SGID permissions should not be required on the boot partition. Add t...Rule Medium Severity -
Ensure No Device Files are Unlabeled by SELinux
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type <code>device_t</code> or <cod...Rule Medium Severity -
Verify Group Who Owns cron.deny
To properly set the group owner of/etc/cron.deny, run the command:$ sudo chgrp root /etc/cron.deny
Rule Medium Severity -
Verify Owner on cron.deny
To properly set the owner of/etc/cron.deny, run the command:$ sudo chown root /etc/cron.deny
Rule Medium Severity -
The s-nail Package Is Installed
A mail server is required for sending emails. Thes-nailpackage can be installed with the following command:$ sudo yum install s-nail
Rule Medium Severity -
Configure immutable Audit login UIDs
Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivile...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.