I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000033
<GroupDescription></GroupDescription>Group -
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
<VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating throug...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
<VulnDiscussion>When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc...Rule Medium Severity -
SRG-OS-000185
<GroupDescription></GroupDescription>Group -
The operating system must protect the confidentiality and integrity of information at rest.
<VulnDiscussion>When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digita...Rule Low Severity -
SRG-OS-000216
<GroupDescription></GroupDescription>Group -
The operating system must use cryptographic mechanisms to protect the integrity of audit information.
<VulnDiscussion>Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established s...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The sticky bit must be set on all world writable directories.
<VulnDiscussion>Files in directories that have had the "sticky bit" enabled can only be deleted by users that have both write permissions for...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Permissions on user home directories must be 750 or less permissive.
<VulnDiscussion>Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Permissions on user . (hidden) files must be 750 or less permissive.
<VulnDiscussion>Group-writable or world-writable user configuration files may enable malicious users to steal or modify other users' data or ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Permissions on user .netrc files must be 750 or less permissive.
<VulnDiscussion>.netrc files may contain unencrypted passwords that can be used to attack other systems.</VulnDiscussion><FalsePosit...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
There must be no user .rhosts files.
<VulnDiscussion>Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from o...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Groups assigned to users must exist in the /etc/group file.
<VulnDiscussion>Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly mana...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Users must have a valid home directory assignment.
<VulnDiscussion>All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
All user accounts must be configured to use a home directory that exists.
<VulnDiscussion>If the user's home directory does not exist, the user will be placed in "/" and will not be able to write any files or have l...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
All home directories must be owned by the respective user assigned to it in /etc/passwd.
<VulnDiscussion>Since the user is accountable for files stored in the user's home directory, the user must be the owner of the directory.<...Rule Medium Severity -
SRG-OS-000104
<GroupDescription></GroupDescription>Group -
Duplicate User IDs (UIDs) must not exist for users within the organization.
<VulnDiscussion>Users within the organization must be assigned unique UIDs for accountability and to ensure appropriate access protections.&l...Rule Medium Severity -
SRG-OS-000121
<GroupDescription></GroupDescription>Group -
Duplicate UIDs must not exist for multiple non-organizational users.
<VulnDiscussion>Non-organizational users must be assigned unique UIDs for accountability and to ensure appropriate access protections.</Vu...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Duplicate Group IDs (GIDs) must not exist for multiple groups.
<VulnDiscussion>User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections.</VulnDiscussion&...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Reserved UIDs 0-99 must only be used by system accounts.
<VulnDiscussion>If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise i...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Duplicate user names must not exist.
<VulnDiscussion>If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Duplicate group names must not exist.
<VulnDiscussion>If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in g...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
User .netrc files must not exist.
<VulnDiscussion>The .netrc file presents a significant security risk since it stores passwords in unencrypted form.</VulnDiscussion><...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The system must not allow users to configure .forward files.
<VulnDiscussion>Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organizati...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
World-writable files must not exist.
<VulnDiscussion>Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable fil...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
All valid SUID/SGID files must be documented.
<VulnDiscussion>There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are l...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The operating system must have no unowned files.
<VulnDiscussion>A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The operating system must have no files with extended attributes.
<VulnDiscussion>Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes ar...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.