Skip to content

Standard System Security Profile for Anolis OS 23

Rules and Groups employed by this XCCDF Profile

  • Disable vsftpd Service

    The vsftpd service can be disabled with the following command:
    $ sudo systemctl mask --now vsftpd.service
    Rule Medium Severity
  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
  • Disable httpd Service

    The httpd service can be disabled with the following command:
    $ sudo systemctl mask --now httpd.service
    Rule Unknown Severity
  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
  • Disable Dovecot Service

    The dovecot service can be disabled with the following command:
    $ sudo systemctl mask --now dovecot.service
    Rule Unknown Severity
  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Anolis OS 23 includes software ...
    Group
  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
  • Disable LDAP Server (slapd)

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.
    Rule Medium Severity
  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...
    Group
  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...
    Group
  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...
    Rule Low Severity
  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...
    Rule Unknown Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Ensure rsyncd service is disabled

    The rsyncd service can be disabled with the following command:
    $ sudo systemctl mask --now rsyncd.service
    Rule Medium Severity
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules