Skip to content

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS

Rules and Groups employed by this XCCDF Profile

  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...
    Group
  • Ensure /var/log Located On Separate Partition

    System logs are stored in the <code>/var/log</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterward...
    Rule Low Severity
  • Ensure /var/log/audit Located On Separate Partition

    Audit logs are stored in the <code>/var/log/audit</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afte...
    Rule Low Severity
  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...
    Group
  • Install sudo Package

    The sudo package can be installed with the following command:
    $ sudo dnf install sudo
    Rule Medium Severity
  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...
    Group
  • Warning Banners for System Accesses

    Each system should expose as little information about itself as possible. <br><br> System banners, which are typically displayed just before a logi...
    Group
  • Modify the System Login Banner

    To configure the system login banner create a file under <code>/etc/issue.d</code> The DoD required text is either: <br><br> <code>You are acces...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Disable debug-shell SystemD Service

    SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules