Skip to content
Log In

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate

Rules and Groups employed by this XCCDF Profile

  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...
    Rule Medium Severity
    Show

  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...
    Rule High Severity
    Show

  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 9 installs on a system and disable softwar...
    Group
    Show

  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any ...
    Group
    Show

  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on Red Hat Enterprise Linux 9 by default. The remainde...
    Group
    Show

  • Uninstall bind Package

    The named service is provided by the bind package. The bind package can be removed with the following command: 
    $ sudo dnf erase bind
    Rule Low Severity
    Show

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...
    Group
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command: 
     $ sudo dnf erase vsftpd
    Rule High Severity
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...
    Group
    Show

  • Disable Cyrus IMAP

    If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.
    Group
    Show

  • Uninstall cyrus-imapd Package

    The cyrus-imapd package can be removed with the following command: 
    $ sudo dnf erase cyrus-imapd
    Rule Unknown Severity
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Uninstall dovecot Package

    The dovecot package can be removed with the following command: 
    $ sudo dnf erase dovecot
    Rule Unknown Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...
    Rule Medium Severity
    Show

  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More informati...
    Rule Medium Severity
    Show

  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...
    Group
    Show

  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command: 
    $ sudo dnf erase telnet-server
    Rule High Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo dnf erase tftp-server
    Rule High Severity
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Uninstall squid Package

    The squid package can be removed with the following command: 
     $ sudo dnf erase squid
    Rule Unknown Severity
    Show

  • SNMP Server

    The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...
    Group
    Show

  • Disable SNMP Server if Possible

    The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...
    Group
    Show

  • Uninstall net-snmp Package

    The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command: 
    $ sudo dnf erase net-snmp
    Rule Unknown Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...
    Rule Medium Severity
    Show

  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To se...
    Rule Medium Severity
    Show

  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>: <pre>Banne...
    Rule Medium Severity
    Show

  • Limit Users' SSH Access

    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recom...
    Rule Unknown Severity
    Show

  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
    Show

  • Install usbguard Package

    The usbguard package can be installed with the following command: 
    $ sudo dnf install usbguard
    Rule Medium Severity
    Show

  • Enable the USBGuard Service

    The USBGuard service should be enabled. The usbguard service can be enabled with the following command: 
    $ sudo systemctl enable usbguard.service
    Rule Medium Severity
    Show

  • Generate USBGuard Policy

    By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration m...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules