Skip to content
Log In

DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Secret

Rules and Groups employed by this XCCDF Profile

  • Enable the kerberos_enabled SELinux Boolean

    By default, the SELinux boolean <code>kerberos_enabled</code> is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the <code...
    Rule Medium Severity
    Show

  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 10 installs on a system and disable softwa...
    Group
    Show

  • Avahi Server

    The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on t...
    Group
    Show

  • Disable Avahi Server if Possible

    Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks.
    Group
    Show

  • Disable Avahi Server Software

    The avahi-daemon service can be disabled with the following command: 
    $ sudo systemctl mask --now avahi-daemon.service
    Rule Medium Severity
    Show

  • Application Whitelisting Daemon

    Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applicat...
    Group
    Show

  • Install fapolicyd Package

    The fapolicyd package can be installed with the following command: 
    $ sudo dnf install fapolicyd
    Rule Medium Severity
    Show

  • Enable the File Access Policy Service

    The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command: 
    $ sudo systemctl enable fapolicyd.service
    Rule Medium Severity
    Show

  • Kerberos

    The Kerberos protocol is used for authentication across non-secure network. Authentication can happen between various types of principals -- users, service, or hosts. Their identity and encryption ...
    Group
    Show

  • Disable Kerberos by removing host keytab

    Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules