Skip to content

CCN Red Hat Enterprise Linux 9 - Intermediate

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...
    Group
  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...
    Group
  • System Cryptographic Policies

    Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...
    Group
  • Configure System Cryptography Policy

    To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_...
    Rule High Severity
  • Configure SSH to use System Crypto Policy

    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configu...
    Rule Medium Severity
  • GNOME Desktop Environment

    GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...
    Group
  • Make sure that the dconf databases are up-to-date with regards to respective keyfiles

    By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...
    Rule High Severity
  • Configure GNOME Login Screen

    In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...
    Group
  • Disable the GNOME3 Login User List

    In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This fu...
    Rule Medium Severity
  • GNOME Media Settings

    GNOME media settings that apply to the graphical interface.
    Group
  • Disable GNOME3 Automounting

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount Opening

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount running

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Low Severity
  • Configure GNOME Screen Locking

    In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...
    Group
  • Set GNOME3 Screensaver Inactivity Timeout

    The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...
    Rule Medium Severity
  • Set GNOME3 Screensaver Lock Delay After Activation Period

    To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <co...
    Rule Medium Severity
  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...
    Group
  • Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

    The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by ma...
    Rule Medium Severity
  • Ensure Users Re-Authenticate for Privilege Escalation - sudo

    The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having t...
    Rule Medium Severity
  • Require Re-Authentication When Using the sudo Command

    The sudo <code>timestamp_timeout</code> tag sets the amount of time sudo password prompt waits. The default <code>timestamp_timeout</code> value is...
    Rule Medium Severity
  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...
    Group
  • Enable authselect

    Configure user authentication setup to use the <code>authselect</code> tool. If authselect profile is selected, the rule will enable the <xccdf-1.2...
    Rule Medium Severity
  • Warning Banners for System Accesses

    Each system should expose as little information about itself as possible. <br><br> System banners, which are typically displayed just before a logi...
    Group
  • Modify the System Login Banner

    To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or...
    Rule Medium Severity
  • Modify the System Login Banner for Remote Connections

    To configure the system login banner edit <code>/etc/issue.net</code>. Replace the default text with a message compliant with the local site policy...
    Rule Medium Severity
  • Modify the System Message of the Day Banner

    To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or...
    Rule Medium Severity
  • Implement a GUI Warning Banner

    In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager ...
    Group
  • Enable GNOME3 Login Warning Banner

    In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login scr...
    Rule Medium Severity
  • Set the GNOME3 Login Warning Banner Text

    In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on th...
    Rule Medium Severity
  • Protect Accounts by Configuring PAM

    PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...
    Group
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...
    Group
  • Ensure PAM Enforces Password Requirements - Minimum Different Categories

    The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

    To configure the number of retry prompts that are permitted per-session: Edit the <code>/etc/security/pwquality.conf</code> to include <code>retr...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set Password Hashing Algorithm in /etc/login.defs

    In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...
    Rule Medium Severity
  • Set PAM''s Password Hashing Algorithm - password-auth

    The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...
    Rule Medium Severity
  • Set PAM''s Password Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
  • Set Existing Passwords Maximum Age

    Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...
    Rule Medium Severity
  • Set Existing Passwords Minimum Age

    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>...
    Rule Medium Severity
  • Set Existing Passwords Warning Age

    To configure how many days prior to password expiration that a warning will be issued to users, run the command: <pre>$ sudo chage --warndays <xccd...
    Rule Medium Severity
  • Set Password Warning Age

    To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...
    Rule Medium Severity
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Ensure There Are No Accounts With Blank or Null Passwords

    Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules