DRAFT - DISA STIG for Red Hat Enterprise Linux 10
Rules and Groups employed by this XCCDF Profile
-
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Use Kerberos Security on All Exports
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add <code>sec=krb5:krb5i:krb5p</cod...Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information o...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service to use NTS
The system should be configured to use time servers that support Network Time Security (NTS). The specified time server must support NTS and must be configured to use NTS. To configure NTS for give...Rule Medium Severity -
Disable chrony daemon from acting as server
The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port for server operation and to operate strictly in a c...Rule Low Severity -
Disable network management of chrony daemon
Thecmdportoption in/etc/chrony.confcan be set to0to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules