Standard System Security Profile for openEuler 22.03 LTS
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo dnf install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the fil...Rule Medium Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...Group -
Configure System Cryptography Policy
To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_...Rule High Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
The operating system must restrict privilege elevation to authorized personnel
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms yo...Rule Medium Severity -
Updating Software
The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Ensure gpgcheck Enabled In Main dnf Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check pack...Rule High Severity -
Ensure gpgcheck Enabled for All dnf Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Warning Banners for System Accesses
Each system should expose as little information about itself as possible. <br> <br> System banners, which are typically displayed just befor...Group -
Verify Group Ownership of System Login Banner
To properly set the group owner of/etc/issue, run the command:$ sudo chgrp root /etc/issue
Rule Medium Severity -
Verify Group Ownership of System Login Banner for Remote Connections
To properly set the group owner of/etc/issue.net, run the command:$ sudo chgrp root /etc/issue.net
Rule Medium Severity -
Verify Group Ownership of Message of the Day Banner
To properly set the group owner of/etc/motd, run the command:$ sudo chgrp root /etc/motd
Rule Medium Severity -
Verify ownership of System Login Banner
To properly set the owner of/etc/issue, run the command:$ sudo chown root /etc/issue
Rule Medium Severity -
Verify ownership of System Login Banner for Remote Connections
To properly set the owner of/etc/issue.net, run the command:$ sudo chown root /etc/issue.net
Rule Medium Severity -
Verify ownership of Message of the Day Banner
To properly set the owner of/etc/motd, run the command:$ sudo chown root /etc/motd
Rule Medium Severity -
Verify permissions on System Login Banner
To properly set the permissions of/etc/issue, run the command:$ sudo chmod 0644 /etc/issue
Rule Medium Severity -
Verify permissions on System Login Banner for Remote Connections
To properly set the permissions of/etc/issue.net, run the command:$ sudo chmod 0644 /etc/issue.net
Rule Medium Severity -
Verify permissions on Message of the Day Banner
To properly set the permissions of/etc/motd, run the command:$ sudo chmod 0644 /etc/motd
Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to conf...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforce for root User
The pam_pwquality module's <code>enforce_for_root</code> parameter controls requirements for enforcing password complexity for the root user. Enabl...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/sys...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...Rule Medium Severity -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> ...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group ID
Change the group name or delete groups, so each has a unique id.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.