Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced
Rules and Groups employed by this XCCDF Profile
-
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
Uninstall dovecot Package
Thedovecotpackage can be removed with the following command:$ sudo dnf erase dovecot
Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More informati...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo dnf erase telnet-server
Rule High Severity -
TFTP Server
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...Group -
Uninstall tftp-server Package
Thetftp-serverpackage can be removed with the following command:$ sudo dnf erase tftp-server
Rule High Severity -
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Uninstall squid Package
Thesquidpackage can be removed with the following command:$ sudo dnf erase squid
Rule Unknown Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...Group -
Uninstall net-snmp Package
Thenet-snmppackage provides the snmpd service. Thenet-snmppackage can be removed with the following command:$ sudo dnf erase net-snmp
Rule Unknown Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
Set SSH Client Alive Count Max
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules