Skip to content
ATO Pathways
  Log In

NIST National Checklist Program Security Guide

Rules and Groups employed by this XCCDF Profile

  • Ensure All Files Are Owned by a Group

    If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, tho...
    Rule Medium Severity
    Show

  • Ensure All Files Are Owned by a User

    If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted...
    Rule Medium Severity
    Show

  • Enable Kernel Parameter to Enforce DAC on Hardlinks

    To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protecte...
    Rule Medium Severity
    Show

  • Enable Kernel Parameter to Enforce DAC on Symlinks

    To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected...
    Rule Medium Severity
    Show

  • Restrict Dynamic Mounting and Unmounting of Filesystems

    Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...
    Group
    Show

  • Disable the Automounter

    The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be...
    Rule Medium Severity
    Show

  • Disable Mounting of cramfs

    To configure the system to prevent the <code>cramfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe...
    Rule Low Severity
    Show

  • Disable Mounting of freevxfs

    To configure the system to prevent the <code>freevxfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modpro...
    Rule Low Severity
    Show

  • Disable Mounting of hfs

    To configure the system to prevent the <code>hfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/...
    Rule Low Severity
    Show

  • Disable Mounting of hfsplus

    To configure the system to prevent the <code>hfsplus</code> kernel module from being loaded, add the following line to the file <code>/etc/modprob...
    Rule Low Severity
    Show

  • Disable Mounting of jffs2

    To configure the system to prevent the <code>jffs2</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe....
    Rule Low Severity
    Show

  • Disable Mounting of squashfs

    To configure the system to prevent the <code>squashfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modpro...
    Rule Low Severity
    Show

  • Disable Modprobe Loading of USB Storage Driver

    To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. ...
    Rule Medium Severity
    Show

  • Restrict Partition Mount Options

    System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...
    Group
    Show

  • Add nodev Option to /dev/shm

    The <code>nodev</code> mount option can be used to prevent creation of device files in <code>/dev/shm</code>. Legitimate character and block device...
    Rule Medium Severity
    Show

  • Add noexec Option to /dev/shm

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/dev/shm</code>. It can be dangerous to allow...
    Rule Medium Severity
    Show

  • Add nosuid Option to /dev/shm

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/dev/shm</code>. The SUID and SGID permissions s...
    Rule Medium Severity
    Show

  • Add nodev Option to /home

    The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/home</code>. Legitimate character and block de...
    Rule Unknown Severity
    Show

  • Add nosuid Option to /home

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions shoul...
    Rule Medium Severity
    Show

  • Add nodev Option to Removable Media Partitions

    The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices sho...
    Rule Medium Severity
    Show

  • Add noexec Option to Removable Media Partitions

    The <code>noexec</code> mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binari...
    Rule Medium Severity
    Show

  • Add nosuid Option to Removable Media Partitions

    The <code>nosuid</code> mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These perm...
    Rule Medium Severity
    Show

  • Add nodev Option to /tmp

    The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/tmp</code>. Legitimate character and block dev...
    Rule Medium Severity
    Show

  • Add noexec Option to /tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> opti...
    Rule Medium Severity
    Show

  • Add nosuid Option to /tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions should...
    Rule Medium Severity
    Show

  • Add nodev Option to /var/tmp

    The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/var/tmp</code>. Legitimate character and block...
    Rule Medium Severity
    Show

  • Add noexec Option to /var/tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/tmp</code>. Add the <code>noexec</code> ...
    Rule Medium Severity
    Show

  • Add nosuid Option to /var/tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions sh...
    Rule Medium Severity
    Show

  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...
    Group
    Show

  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...
    Rule Low Severity
    Show

  • Disable Kernel Image Loading

    To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel....
    Rule Medium Severity
    Show

  • Restrict usage of ptrace to descendant processes

    To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.ya...
    Rule Medium Severity
    Show

  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...
    Group
    Show

  • Disable Core Dumps for All Users

    To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/...
    Rule Medium Severity
    Show

  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...
    Rule Medium Severity
    Show

  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...
    Group
    Show

  • Enable ExecShield via sysctl

    By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield...
    Rule Medium Severity
    Show

  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...
    Rule Medium Severity
    Show

  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...
    Rule Medium Severity
    Show

  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, th...
    Group
    Show

  • Install PAE Kernel on Supported 32-bit x86 Systems

    Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes t...
    Rule Unknown Severity
    Show

  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of info...
    Group
    Show

  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. T...
    Rule Medium Severity
    Show

  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug...
    Rule Medium Severity
    Show

  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
    Show

  • Ensure SELinux Not Disabled in /etc/default/grub

    SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kern...
    Rule Medium Severity
    Show

  • Ensure No Device Files are Unlabeled by SELinux

    Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files ca...
    Rule Medium Severity
    Show

  • Ensure No Daemons are Unconfined by SELinux

    Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during sta...
    Rule Medium Severity
    Show

  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
    Show

  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules