Skip to content

NIST National Checklist Program Security Guide

Rules and Groups employed by this XCCDF Profile

  • Updating Software

    The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...
    Group
  • Ensure yum Removes Previous Package Versions

    <code>yum</code> should be configured to remove previous software components after new versions have been installed. To configure <code>yum</code> ...
    Rule Low Severity
  • Ensure gpgcheck Enabled In Main yum Configuration

    The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check pack...
    Rule High Severity
  • Ensure gpgcheck Enabled for Local Packages

    <code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify s...
    Rule High Severity
  • Ensure gpgcheck Enabled for All yum Package Repositories

    To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...
    Rule High Severity
  • Ensure Red Hat GPG Key Installed

    To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them),...
    Rule High Severity
  • Ensure Software Patches Installed

    If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ ...
    Rule Medium Severity
  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...
    Group
  • Warning Banners for System Accesses

    Each system should expose as little information about itself as possible. <br><br> System banners, which are typically displayed just before a logi...
    Group
  • Modify the System Login Banner

    To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or...
    Rule Medium Severity
  • Implement a GUI Warning Banner

    In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager ...
    Group
  • Enable GNOME3 Login Warning Banner

    In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login scr...
    Rule Medium Severity
  • Set the GNOME3 Login Warning Banner Text

    In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on th...
    Rule Medium Severity
  • Protect Accounts by Configuring PAM

    PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...
    Group
  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...
    Group
  • Limit Password Reuse

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...
    Rule Medium Severity
  • Lock Accounts After Failed Password Attempts

    This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...
    Rule Medium Severity
  • Configure the root Account for Failed Password Attempts

    This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</c...
    Rule Medium Severity
  • Set Interval For Counting Failed Password Attempts

    Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules