Australian Cyber Security Centre (ACSC) ISM Official
Rules and Groups employed by this XCCDF Profile
-
Enable Smartcards in SSSD
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...Rule Medium Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
Theusbguardpackage can be installed with the following command:$ sudo yum install usbguard
Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...Rule Medium Severity -
Enable ExecShield via sysctl
By default on Oracle Linux 9 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disab...Rule Medium Severity -
Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
By default, non-privileged users are given permissions to modify networking interfaces and configurations using the <code>nmcli</code> command. Non...Rule Medium Severity -
Enable the auditadm_exec_content SELinux Boolean
By default, the SELinux boolean <code>auditadm_exec_content</code> is enabled. If this setting is disabled, it should be enabled. To enable the <c...Rule Medium Severity -
Disable the authlogin_nsswitch_use_ldap SELinux Boolean
By default, the SELinux boolean <code>authlogin_nsswitch_use_ldap</code> is disabled. If this setting is enabled, it should be disabled. To disabl...Rule Medium Severity -
Disable the authlogin_radius SELinux Boolean
By default, the SELinux boolean <code>authlogin_radius</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...Rule Medium Severity -
Enable the kerberos_enabled SELinux Boolean
By default, the SELinux boolean <code>kerberos_enabled</code> is enabled. If this setting is disabled, it should be enabled to allow confined appli...Rule Medium Severity -
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Specify Additional Remote NTP Servers
Depending on specific functional requirements of a concrete production environment, the Oracle Linux 9 system can be configured to utilize the serv...Rule Medium Severity -
Disable snmpd Service
Thesnmpdservice can be disabled with the following command:$ sudo systemctl mask --now snmpd.service
Rule Low Severity -
Configure SNMP Service to Use Only SNMPv3 or Newer
Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>rocommunity</code>, <code>rwcommunity</code>, or <code>com2sec</code>. Upo...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.