DRAFT - Health Insurance Portability and Accountability Act (HIPAA)
Rules and Groups employed by this XCCDF Profile
-
Ensure rsyslog is Installed
Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo dnf install rsyslog</pr...Rule Medium Severity -
Enable rsyslog Service
The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 10. The <code>rsyslog</code> service can be ...Rule Medium Severity -
Rsyslog Logs Sent To Remote Host
If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised...Group -
Ensure Logs Sent To Remote Host
To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,...Rule Medium Severity -
Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...Group -
IPSec Support
Support for Internet Protocol Security (IPsec) is provided with Libreswan.Group -
Verify Any Configured IPSec Tunnel Connections
Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be ...Rule Medium Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...Group -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...Group -
Disable the Automounter
The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be...Rule Medium Severity -
Disable Kernel Support for USB via Bootloader Configuration
All USB support can be disabled by adding the <code>nousb</code> argument to the kernel's boot loader configuration. To do so, append "nousb" to th...Rule Unknown Severity -
Disable Modprobe Loading of USB Storage Driver
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. ...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...Rule Low Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
Enable ExecShield via sysctl
By default on Red Hat Enterprise Linux 10 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShiel...Rule Medium Severity -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...Rule Medium Severity -
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...Group -
Ensure SELinux Not Disabled in /etc/default/grub
SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kern...Rule Medium Severity -
Ensure No Daemons are Unconfined by SELinux
Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during sta...Rule Medium Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
SELinux - Booleans
Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.Group -
Disable the selinuxuser_execheap SELinux Boolean
By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execu...Rule Medium Severity -
Enable the selinuxuser_execmod SELinux Boolean
By default, the SELinux boolean <code>selinuxuser_execmod</code> is enabled. If this setting is disabled, it should be enabled. To enable the <cod...Rule Medium Severity -
Disable the selinuxuser_execstack SELinux Boolean
By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...Group -
Base Services
This section addresses the base services that are installed on a Red Hat Enterprise Linux 10 default installation which are not covered in other se...Group -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...Rule Medium Severity -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...Group -
Install the cron service
The Cron service should be installed.Rule Medium Severity -
Enable cron Service
The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...Rule Medium Severity -
Enable cron Service
The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Use Kerberos Security on All Exports
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Disable rexec Service
The <code>rexec</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a...Rule High Severity -
Disable rlogin Service
The <code>rlogin</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as ...Rule High Severity -
Disable rsh Service
The <code>rsh</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a s...Rule High Severity -
Remove Rsh Trust Files
The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...Rule High Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo dnf remove telnet-server
Rule High Severity -
Remove telnet Clients
The telnet client allows users to start connections to other systems via the telnet protocol.Rule Low Severity -
Disable telnet Service
Make sure that the activation of the <code>telnet</code> service on system boot is disabled. The <code>telnet</code> socket can be disabled with t...Rule High Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules