Skip to content

DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)

Rules and Groups employed by this XCCDF Profile

  • Ensure All World-Writable Directories Are Owned by a System Account

    All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories a...
    Rule Medium Severity
  • Ensure All Files Are Owned by a Group

    If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, tho...
    Rule Medium Severity
  • Ensure All Files Are Owned by a User

    If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted...
    Rule Medium Severity
  • Restrict Dynamic Mounting and Unmounting of Filesystems

    Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...
    Group
  • Disable the Automounter

    The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be...
    Rule Medium Severity
  • Disable Mounting of cramfs

    To configure the system to prevent the <code>cramfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe...
    Rule Low Severity
  • Disable Mounting of freevxfs

    To configure the system to prevent the <code>freevxfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modpro...
    Rule Low Severity
  • Disable Mounting of hfs

    To configure the system to prevent the <code>hfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/...
    Rule Low Severity
  • Disable Mounting of hfsplus

    To configure the system to prevent the <code>hfsplus</code> kernel module from being loaded, add the following line to the file <code>/etc/modprob...
    Rule Low Severity
  • Disable Mounting of jffs2

    To configure the system to prevent the <code>jffs2</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe....
    Rule Low Severity
  • Disable Modprobe Loading of USB Storage Driver

    To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. ...
    Rule Medium Severity
  • Restrict Partition Mount Options

    System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...
    Group
  • Add nosuid Option to /home

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions shoul...
    Rule Medium Severity
  • Add nodev Option to Removable Media Partitions

    The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices sho...
    Rule Medium Severity
  • Add noexec Option to Removable Media Partitions

    The <code>noexec</code> mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binari...
    Rule Medium Severity
  • Add nosuid Option to Removable Media Partitions

    The <code>nosuid</code> mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These perm...
    Rule Medium Severity
  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...
    Group
  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...
    Rule Low Severity
  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...
    Group
  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...
    Group
  • Enable ExecShield via sysctl

    By default on Red Hat Virtualization 4 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield o...
    Rule Medium Severity
  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...
    Rule Medium Severity
  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, th...
    Group
  • Install PAE Kernel on Supported 32-bit x86 Systems

    Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes t...
    Rule Unknown Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Ensure SELinux Not Disabled in /etc/default/grub

    SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kern...
    Rule Medium Severity
  • Ensure No Device Files are Unlabeled by SELinux

    Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files ca...
    Rule Medium Severity
  • Ensure No Daemons are Unconfined by SELinux

    Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during sta...
    Rule Medium Severity
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • Map System Users To The Appropriate SELinux Role

    Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering...
    Rule Medium Severity
  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
  • Disable the abrt_anon_write SELinux Boolean

    By default, the SELinux boolean <code>abrt_anon_write</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>...
    Rule Medium Severity
  • Disable the abrt_handle_event SELinux Boolean

    By default, the SELinux boolean <code>abrt_handle_event</code> is disabled. If this setting is enabled, it should be disabled. To disable the <cod...
    Rule Medium Severity
  • Disable the abrt_upload_watch_anon_write SELinux Boolean

    By default, the SELinux boolean <code>abrt_upload_watch_anon_write</code> is enabled. This setting should be disabled as it allows the Automatic Bu...
    Rule Medium Severity
  • Enable the auditadm_exec_content SELinux Boolean

    By default, the SELinux boolean <code>auditadm_exec_content</code> is enabled. If this setting is disabled, it should be enabled. To enable the <c...
    Rule Medium Severity
  • Disable the cron_can_relabel SELinux Boolean

    By default, the SELinux boolean <code>cron_can_relabel</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...
    Rule Medium Severity
  • Disable the cron_system_cronjob_use_shares SELinux Boolean

    By default, the SELinux boolean <code>cron_system_cronjob_use_shares</code> is disabled. If this setting is enabled, it should be disabled. To dis...
    Rule Medium Severity
  • Enable the cron_userdomain_transition SELinux Boolean

    By default, the SELinux boolean <code>cron_userdomain_transition</code> is enabled. This setting should be enabled as end user cron jobs run in the...
    Rule Medium Severity
  • Disable the daemons_dump_core SELinux Boolean

    By default, the SELinux boolean <code>daemons_dump_core</code> is disabled. If this setting is enabled, it should be disabled. To disable the <cod...
    Rule Medium Severity
  • Disable the daemons_use_tcp_wrapper SELinux Boolean

    By default, the SELinux boolean <code>daemons_use_tcp_wrapper</code> is disabled. If this setting is enabled, it should be disabled. To disable th...
    Rule Medium Severity
  • Disable the daemons_use_tty SELinux Boolean

    By default, the SELinux boolean <code>daemons_use_tty</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>...
    Rule Medium Severity
  • Configure the deny_execmem SELinux Boolean

    By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproj...
    Rule Medium Severity
  • Disable the deny_ptrace SELinux Boolean

    By default, the SELinux boolean <code>deny_ptrace</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>deny...
    Rule Medium Severity
  • Enable the domain_fd_use SELinux Boolean

    By default, the SELinux boolean <code>domain_fd_use</code> is enabled. If this setting is disabled, it should be enabled. To enable the <code>doma...
    Rule Medium Severity
  • Disable the domain_kernel_load_modules SELinux Boolean

    By default, the SELinux boolean <code>domain_kernel_load_modules</code> is disabled. If this setting is enabled, it should be disabled. To disable...
    Rule Medium Severity
  • Enable the fips_mode SELinux Boolean

    By default, the SELinux boolean <code>fips_mode</code> is enabled. This allows all SELinux domains to execute in <code>fips_mode</code>. If this se...
    Rule Medium Severity
  • Disable the gpg_web_anon_write SELinux Boolean

    By default, the SELinux boolean <code>gpg_web_anon_write</code> is disabled. If this setting is enabled, it should be disabled. To disable the <co...
    Rule Medium Severity
  • Disable the guest_exec_content SELinux Boolean

    By default, the SELinux boolean <code>guest_exec_content</code> is enabled. This setting should be disabled as no guest accounts should be used. T...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules