Skip to content

OSPP - Protection Profile for General Purpose Operating Systems v4.2.1

Rules and Groups employed by this XCCDF Profile

  • Ensure PAM Enforces Password Requirements - Minimum Digit Characters

    The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Different Characters

    The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

    The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

    The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character...
    Rule Medium Severity
  • Set Password Maximum Consecutive Repeating Characters

    The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive numb...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Special Characters

    The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

    The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Disable debug-shell SystemD Service

    SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
  • Disable Ctrl-Alt-Del Burst Action

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...
    Rule High Severity
  • Disable Ctrl-Alt-Del Reboot Activation

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system ...
    Rule High Severity
  • Verify that Interactive Boot is Disabled

    Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enter...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...
    Rule Medium Severity
  • Configure Screen Locking

    When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...
    Group
  • Configure Console Screen Locking

    A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the in...
    Group
  • Install the screen Package

    To enable console screen locking, install the <code>screen</code> package. The <code>screen</code> package can be installed with the following comm...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules