Skip to content

DISA STIG for Red Hat Enterprise Linux CoreOS

Rules and Groups employed by this XCCDF Profile

  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to all BLS (Boot Loader Specification) entries ('options' line) for ...
    Rule Medium Severity
  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=P</code> to all BLS (Boot Loader Specification) entries ('options' line...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Ensure SELinux Not Disabled in the kernel arguments

    SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of <code>selinux=0</code> from the kernel argument...
    Rule Medium Severity
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...
    Group
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Enable the NTP Daemon

    As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> ...
    Rule Medium Severity
  • Specify a Remote NTP Server

    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured ...
    Rule Medium Severity
  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...
    Group
  • Disable SSH Server If Possible

    Instead of using ssh to remotely log in to a cluster node, it is recommended to use <code>oc debug</code> The <code>sshd</code> service can be di...
    Rule High Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...
    Group
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...
    Rule Medium Severity
  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
  • Install usbguard Package

    The <code>usbguard</code> package can be installed with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: M...
    Rule Medium Severity
  • Enable the USBGuard Service

    The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following manifest: <pre> --- apiVersion: machin...
    Rule Medium Severity
  • Log USBGuard daemon audit events using Linux Audit

    To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...
    Rule Low Severity
  • Authorize Human Interface Devices and USB hubs in USBGuard daemon

    To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-inter...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules