Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaide
package can be installed with the following command:$ sudo yum install aide
Rule Medium Severity -
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working g...Group -
Enable Dracut FIPS Module
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> ...Rule High Severity -
Enable FIPS Mode
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> <br> The <code>fips-mode-setup</code> command will configure t...Rule High Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...Group -
Install crypto-policies package
Thecrypto-policies
package can be installed with the following command:$ sudo yum install crypto-policies
Rule Medium Severity -
Configure BIND to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND confi...Rule High Severity -
Configure System Cryptography Policy
To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_...Rule High Severity -
Configure Kerberos to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's confi...Rule High Severity -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but th...Rule High Severity -
Configure OpenSSL library to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL...Rule Medium Severity -
Configure SSH to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configu...Rule Medium Severity -
OpenSSL uses strong entropy source
By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is t...Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the <code>/var/log</code> directory. Ensure that <code>/var/log</code> has its own partition or logical volume at instal...Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...Rule Low Severity -
Ensure /var/tmp Located On Separate Partition
The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volum...Rule Medium Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Install sudo Package
Thesudo
package can be installed with the following command:$ sudo yum install sudo
Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Install dnf-plugin-subscription-manager Package
The <code>dnf-plugin-subscription-manager</code> package can be installed with the following command: <pre> $ sudo yum install dnf-plugin-subscript...Rule Medium Severity -
Ensure gnutls-utils is installed
Thegnutls-utils
package can be installed with the following command:$ sudo yum install gnutls-utils
Rule Medium Severity -
Install openscap-scanner Package
Theopenscap-scanner
package can be installed with the following command:$ sudo yum install openscap-scanner
Rule Medium Severity -
Install scap-security-guide Package
Thescap-security-guide
package can be installed with the following command:$ sudo yum install scap-security-guide
Rule Medium Severity -
Install subscription-manager Package
Thesubscription-manager
package can be installed with the following command:$ sudo yum install subscription-manager
Rule Medium Severity -
Uninstall abrt-addon-ccpp Package
Theabrt-addon-ccpp
package can be removed with the following command:$ sudo yum erase abrt-addon-ccpp
Rule Low Severity -
Uninstall abrt-addon-kerneloops Package
Theabrt-addon-kerneloops
package can be removed with the following command:$ sudo yum erase abrt-addon-kerneloops
Rule Low Severity -
Uninstall abrt-cli Package
Theabrt-cli
package can be removed with the following command:$ sudo yum erase abrt-cli
Rule Low Severity -
Uninstall abrt-plugin-sosreport Package
Theabrt-plugin-sosreport
package can be removed with the following command:$ sudo yum erase abrt-plugin-sosreport
Rule Low Severity -
Uninstall gssproxy Package
Thegssproxy
package can be removed with the following command:$ sudo yum erase gssproxy
Rule Medium Severity -
Uninstall iprutils Package
Theiprutils
package can be removed with the following command:$ sudo yum erase iprutils
Rule Medium Severity -
Uninstall krb5-workstation Package
Thekrb5-workstation
package can be removed with the following command:$ sudo yum erase krb5-workstation
Rule Medium Severity -
Uninstall libreport-plugin-logger Package
Thelibreport-plugin-logger
package can be removed with the following command:$ sudo yum erase libreport-plugin-logger
Rule Low Severity -
Uninstall libreport-plugin-rhtsupport Package
The <code>libreport-plugin-rhtsupport</code> package can be removed with the following command: <pre> $ sudo yum erase libreport-plugin-rhtsupport<...Rule Low Severity -
Uninstall python3-abrt-addon Package
Thepython3-abrt-addon
package can be removed with the following command:$ sudo yum erase python3-abrt-addon
Rule Low Severity -
Updating Software
The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Install dnf-automatic Package
Thednf-automatic
package can be installed with the following command:$ sudo yum install dnf-automatic
Rule Medium Severity -
Configure dnf-automatic to Install Available Updates Automatically
To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates...Rule Medium Severity -
Configure dnf-automatic to Install Only Security Updates
To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> unde...Rule Low Severity -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check pack...Rule High Severity -
Ensure gpgcheck Enabled for Local Packages
<code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify s...Rule High Severity -
Ensure gpgcheck Enabled for All yum Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them),...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.