Australian Cyber Security Centre (ACSC) ISM Official
Rules and Groups employed by this XCCDF Profile
-
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow throug...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Uninstall squid Package
Thesquidpackage can be removed with the following command:$ sudo dnf erase squid
Rule Unknown Severity -
Disable Squid
Thesquidservice can be disabled with the following command:$ sudo systemctl mask --now squid.service
Rule Unknown Severity -
Network Routing
A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to ...Group -
Disable Quagga if Possible
If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.Group -
Uninstall quagga Package
Thequaggapackage can be removed with the following command:$ sudo dnf erase quagga
Rule Low Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP w...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but...Group -
Disable snmpd Service
Thesnmpdservice can be disabled with the following command:$ sudo systemctl mask --now snmpd.service
Rule Low Severity -
Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation...Group -
Configure SNMP Service to Use Only SNMPv3 or Newer
Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>rocommunity</code>, <code>rwcommunity</code>, or <code>com2sec</code>. Upo...Rule Medium Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
Disable Host-Based Authentication
SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts un...Rule Medium Severity -
Enable SSH Server firewalld Firewall Exception
If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld...Rule Medium Severity -
Allow Only SSH Protocol 2
Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verifi...Rule High Severity -
Disable SSH Access via Empty Passwords
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used ...Rule High Severity -
Disable GSSAPI Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.