Skip to content

NIST National Checklist Program Security Guide

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...
    Group
  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...
    Group
  • Disable Prelinking

    The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line insi...
    Rule Medium Severity
  • Software Integrity Checking

    Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...
    Group
  • Verify Integrity with RPM

    The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with informat...
    Group
  • Verify File Hashes with RPM

    Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...
    Rule High Severity
  • Verify and Correct File Permissions with RPM

    The RPM package management system can check file access permissions of installed software packages, including many that are important to system sec...
    Rule High Severity
  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...
    Group
  • Install AIDE

    The aide package can be installed with the following command:
    $ sudo yum install aide
    Rule Medium Severity
  • Build and Test AIDE Database

    Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the fil...
    Rule Medium Severity
  • Configure Periodic Execution of AIDE

    At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line t...
    Rule Medium Severity
  • Configure Notification of Post-AIDE Scan Details

    AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic exe...
    Rule Medium Severity
  • Configure AIDE to Use FIPS 140-2 for Validating Hashes

    By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code...
    Rule Medium Severity
  • Configure AIDE to Verify Access Control Lists (ACLs)

    By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> optio...
    Rule Low Severity
  • Configure AIDE to Verify Extended Attributes

    By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code>...
    Rule Low Severity
  • Federal Information Processing Standard (FIPS)

    The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working g...
    Group
  • Install the dracut-fips Package

    To enable FIPS, the system requires that the <code>dracut-fips</code> package be installed. The <code>dracut-fips</code> package can be installed w...
    Rule Medium Severity
  • Enable FIPS Mode in GRUB2

    To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands: <pr...
    Rule High Severity
  • Operating System Vendor Support and Certification

    The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stabili...
    Group
  • The Installed Operating System Is Vendor Supported

    The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Li...
    Rule High Severity
  • Endpoint Protection Software

    Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative secur...
    Group
  • Install Virus Scanning Software

    Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate syste...
    Rule High Severity
  • Install Intrusion Detection Software

    The base Red Hat Enterprise Linux 7 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux...
    Rule High Severity
  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...
    Group
  • Encrypt Partitions

    Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest...
    Rule High Severity
  • GNOME Desktop Environment

    GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...
    Group
  • Make sure that the dconf databases are up-to-date with regards to respective keyfiles

    By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...
    Rule High Severity
  • Configure GNOME3 DConf User Profile

    By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database al...
    Rule High Severity
  • Configure GNOME Login Screen

    In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...
    Group
  • Disable the GNOME3 Login Restart and Shutdown Buttons

    In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown...
    Rule High Severity
  • Disable the GNOME3 Login User List

    In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This fu...
    Rule Medium Severity
  • Enable the GNOME3 Login Smartcard Authentication

    In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication...
    Rule Medium Severity
  • Set the GNOME3 Login Number of Failures

    In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of ...
    Rule Medium Severity
  • Disable GDM Automatic Login

    The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to a...
    Rule High Severity
  • Disable GDM Guest Login

    The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to logi...
    Rule High Severity
  • GNOME Media Settings

    GNOME media settings that apply to the graphical interface.
    Group
  • Disable GNOME3 Automounting

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount Opening

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount running

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Low Severity
  • Disable All GNOME3 Thumbnailers

    The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified co...
    Rule Unknown Severity
  • GNOME Network Settings

    GNOME network settings that apply to the graphical interface.
    Group
  • Disable WIFI Network Connection Creation in GNOME3

    <code>GNOME</code> allows users to create ad-hoc wireless connections through the <code>NetworkManager</code> applet. Wireless connections should b...
    Rule Medium Severity
  • Disable WIFI Network Notification in GNOME3

    By default, <code>GNOME</code> disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when t...
    Rule Medium Severity
  • GNOME Remote Access Settings

    GNOME remote access settings that apply to the graphical interface.
    Group
  • Require Credential Prompting for Remote Access in GNOME3

    By default, <code>GNOME</code> does not require credentials when using <code>Vino</code> for remote access. To configure the system to require remo...
    Rule Medium Severity
  • Require Encryption for Remote Access in GNOME3

    By default, <code>GNOME</code> requires encryption when using <code>Vino</code> for remote access. To prevent remote access encryption from being d...
    Rule Medium Severity
  • Configure GNOME Screen Locking

    In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...
    Group
  • Enable GNOME3 Screensaver Idle Activation

    To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code...
    Rule Medium Severity
  • Set GNOME3 Screensaver Inactivity Timeout

    The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules