DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight
Rules and Groups employed by this XCCDF Profile
-
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...Group -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...Group -
Avahi Server
The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows...Group -
Disable Avahi Server if Possible
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability t...Group -
Disable Avahi Server Software
Theavahi-daemonservice can be disabled with the following command:$ sudo systemctl mask --now avahi-daemon.service
Rule Medium Severity -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...Group -
Install fapolicyd Package
Thefapolicydpackage can be installed with the following command:$ sudo dnf install fapolicyd
Rule Medium Severity -
Enable the File Access Policy Service
The File Access Policy service should be enabled. The <code>fapolicyd</code> service can be enabled with the following command: <pre>$ sudo system...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo dnf remove telnet-server
Rule High Severity -
Remove telnet Clients
The telnet client allows users to start connections to other systems via the telnet protocol.Rule Low Severity -
Disable telnet Service
Make sure that the activation of the <code>telnet</code> service on system boot is disabled. The <code>telnet</code> socket can be disabled with t...Rule High Severity -
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow throug...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Uninstall squid Package
Thesquidpackage can be removed with the following command:$ sudo dnf remove squid
Rule Unknown Severity -
Disable Squid
Thesquidservice can be disabled with the following command:$ sudo systemctl mask --now squid.service
Rule Unknown Severity -
Network Routing
A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to ...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules