Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaide
package can be installed with the following command:$ sudo yum install aide
Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Ensure /tmp Located On Separate Partition
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the <code>/var/log</code> directory. Ensure that <code>/var/log</code> has its own partition or logical volume at instal...Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...Rule Low Severity -
Updating Software
The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check pack...Rule High Severity -
Ensure gpgcheck Enabled for All yum Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them),...Rule High Severity -
Ensure Software Patches Installed
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ ...Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/sys...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadow
is SHA-512. This can be configured in several locations.Group -
Set Password Hashing Algorithm in /etc/libuser.conf
In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-5...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...Group -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...Rule Medium Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Ensure that System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...Group -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...Group -
System Audit Logs Must Have Mode 0640 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/aud...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.