Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Rules and Groups employed by this XCCDF Profile
-
Configure auditing of unsuccessful permission changes
Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: <pre>## Unsuccessful permission change -a always,exit...Rule Medium Severity -
Configure auditing of successful permission changes
Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: <pre>## Successful permission change -a always,ex...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
Disable Recovery Booting
Red Hat Enterprise Linux 8 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_RECOVERY</code> configuration option in <code>/e...Rule Medium Severity -
Configure kernel to trust the CPU random number generator
There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel compilation, e.g. the option <code>CONFIG_RANDOM_...Rule Medium Severity -
Enable Kernel Page-Table Isolation (KPTI)
To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>pti=on</code> is added as a kerne...Rule Low Severity -
Disable vsyscalls
To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>vsyscall=none</code> is added...Rule Medium Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generat...Rule High Severity -
zIPL bootloader configuration
During the boot process, the bootloader is responsible for starting the execution of the kernel and passing options to it. The default Red Hat Enterprise Linux 8 boot loader for s390x systems is ca...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules