Standard System Security Profile for Kylin Server V10
Rules and Groups employed by this XCCDF Profile
-
Ensure SELinux is Not Disabled
The SELinux state should be set to <code>enforcing</code> or <code>permissive</code> at system boot time. In the file <code>/etc/selinux/config</co...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Kylin Server 10 i...Group -
Base Services
This section addresses the base services that are installed on a Kylin Server 10 default installation which are not covered in other sections. Some...Group -
Install the psacct package
The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...Rule Low Severity -
Enable Process Accounting (psacct)
The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...Rule Low Severity -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...Group -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...Group -
Ensure that /etc/cron.allow exists
The file/etc/cron.allowshould exist and should be used instead of/etc/cron.deny.Rule Medium Severity -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....Group -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...Group -
Disable DHCP Service
The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be ...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo dnf remove nfs-utils
Rule Low Severity -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.