Standard System Security Profile for Kylin Server V10
Rules and Groups employed by this XCCDF Profile
-
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...Rule Medium Severity -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If ...Rule Medium Severity -
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Uninstall rsync Package
The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the foll...Rule Medium Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...Rule Unknown Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo dnf remove telnet-server
Rule High Severity -
TFTP Server
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...Group -
Uninstall tftp-server Package
Thetftp-serverpackage can be removed with the following command:$ sudo dnf remove tftp-server
Rule High Severity -
Remove tftp Daemon
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files betw...Rule Low Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP w...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but...Group -
Uninstall net-snmp Package
The <code>net-snmp</code> package provides the snmpd service. The <code>net-snmp</code> package can be removed with the following command: <pre> $...Rule Unknown Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Install the OpenSSH Server Package
The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <...Rule Medium Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl e...Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules