Skip to content

I - Mission Critical Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000029

    <GroupDescription></GroupDescription>
    Group
  • Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

    &lt;VulnDiscussion&gt;Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to t...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The system must prevent the use of dictionary words for passwords.

    &lt;VulnDiscussion&gt;The use of common words in passwords simplifies password-cracking attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/F...
    Rule Medium Severity
  • SRG-OS-000109

    <GroupDescription></GroupDescription>
    Group
  • The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

    &lt;VulnDiscussion&gt;Allowing any user to elevate their privileges can allow them excessive control of the system tools.&lt;/VulnDiscussion&gt;&lt...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The default umask for system and users must be 077.

    &lt;VulnDiscussion&gt;Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.&lt;/Vu...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The default umask for FTP users must be 077.

    &lt;VulnDiscussion&gt;Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.&lt;/Vu...
    Rule Low Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The value mesg n must be configured as the default setting for all users.

    &lt;VulnDiscussion&gt;The "mesg n" command blocks attempts to use the "write" or "talk" commands to contact users at their terminals, but has the s...
    Rule Low Severity
  • SRG-OS-000003

    <GroupDescription></GroupDescription>
    Group
  • User accounts must be locked after 35 days of inactivity.

    &lt;VulnDiscussion&gt;Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an applicatio...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Login services for serial ports must be disabled.

    &lt;VulnDiscussion&gt;Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system....
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The nobody access for RPC encryption key storage service must be disabled.

    &lt;VulnDiscussion&gt;If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a ...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • X11 forwarding for SSH must be disabled.

    &lt;VulnDiscussion&gt;As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote ...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Consecutive login attempts for SSH must be limited to 3.

    &lt;VulnDiscussion&gt;Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limi...
    Rule Low Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The rhost-based authentication for SSH must be disabled.

    &lt;VulnDiscussion&gt;Setting this parameter forces users to enter a password when authenticating with SSH.&lt;/VulnDiscussion&gt;&lt;FalsePositive...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Direct root account login must not be permitted for SSH access.

    &lt;VulnDiscussion&gt;The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a spec...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Login must not be permitted with empty/null passwords for SSH.

    &lt;VulnDiscussion&gt;Permitting login without a password is inherently risky.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&...
    Rule High Severity
  • SRG-OS-000163

    <GroupDescription></GroupDescription>
    Group
  • The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.

    &lt;VulnDiscussion&gt;This requirement applies to both internal and external networks. Terminating network connections associated with communicat...
    Rule Low Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Host-based authentication for login-based services must be disabled.

    &lt;VulnDiscussion&gt;The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure She...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The use of FTP must be restricted.

    &lt;VulnDiscussion&gt;FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, i...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The system must not allow autologin capabilities from the GNOME desktop.

    &lt;VulnDiscussion&gt;As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabl...
    Rule High Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Unauthorized use of the at or cron capabilities must not be permitted.

    &lt;VulnDiscussion&gt;On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Logins to the root account must be restricted to the system console only.

    &lt;VulnDiscussion&gt;Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. Thes...
    Rule Medium Severity
  • SRG-OS-000025

    <GroupDescription></GroupDescription>
    Group
  • The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

    &lt;VulnDiscussion&gt;Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date a...
    Rule Low Severity
  • SRG-OS-000030

    <GroupDescription></GroupDescription>
    Group
  • The operating system must provide the capability for users to directly initiate session lock mechanisms.

    &lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...
    Rule Medium Severity
  • SRG-OS-000031

    <GroupDescription></GroupDescription>
    Group
  • The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

    &lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinit...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The operating system must not allow logins for users with blank passwords.

    &lt;VulnDiscussion&gt;If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login wit...
    Rule High Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.

    &lt;VulnDiscussion&gt;This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules