Standard System Security Profile for Alibaba Cloud Linux 3
Rules and Groups employed by this XCCDF Profile
-
Record File Deletion Events by User
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit r...Group -
Ensure auditd Collects File Deletion Events by User
At a minimum the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
Record Unauthorized Access Attempts Events to Files (unsuccessful)
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify...Group -
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
At a minimum the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read au...Rule Medium Severity -
Record Information on Kernel Modules Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pr...Group -
Ensure auditd Collects Information on Kernel Module Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pr...Rule Medium Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Ensure All SGID Executables Are Authorized
The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not install...Rule Medium Severity -
Ensure All SUID Executables Are Authorized
The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installe...Rule Medium Severity -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also ca...Group -
Disable the Automounter
The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default c...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Alibaba Cloud Linux 3 installs on a system and disable software whi...Group -
Base Services
This section addresses the base services that are installed on a Alibaba Cloud Linux 3 default installation which are not covered in other sections. Some of these services listen on the network and...Group -
Disable Automatic Bug Reporting Tool (abrtd)
The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to syst...Rule Medium Severity -
Disable ntpdate Service (ntpdate)
The <code>ntpdate</code> service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in <code>/etc/ntp/step-tickers</code> or <code...Rule Low Severity -
Disable Odd Job Daemon (oddjobd)
The <code>oddjobd</code> service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communicati...Rule Medium Severity -
Disable Apache Qpid (qpidd)
The <code>qpidd</code> service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind ...Rule Low Severity -
Disable Network Router Discovery Daemon (rdisc)
The <code>rdisc</code> service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered the...Rule Medium Severity -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may no...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.