Skip to content

DISA STIG for Red Hat Enterprise Linux CoreOS

Rules and Groups employed by this XCCDF Profile

  • systemd-journald

    systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sou...
    Group
  • Verify Group Who Owns the system journal

    ' To properly set the group owner of /var/log/journal/.*/system.journal, run the command:
    $ sudo chgrp systemd-journal /var/log/journal/.*/system.journal
    '
    Rule Medium Severity
  • Verify Owner on the system journal

    ' To properly set the owner of /var/log/journal/.*/system.journal, run the command:
    $ sudo chown root /var/log/journal/.*/system.journal 
    '
    Rule Medium Severity
  • Verify Permissions on the system journal

    To properly set the permissions of /var/log/journal/.*/system.journal, run the command:
    $ sudo chmod 0640 /var/log/journal/.*/system.journal
    Rule Medium Severity
  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...
    Group
  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...
    Group
  • Verify Permissions on Files within /var/log Directory

    The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
    Group
  • Verify Group Who Owns /var/log Directory

    To properly set the group owner of /var/log, run the command:
    $ sudo chgrp root /var/log
    Rule Medium Severity
  • Verify User Who Owns /var/log Directory

    To properly set the owner of /var/log, run the command:
    $ sudo chown root /var/log 
    Rule Medium Severity
  • Verify Permissions on /var/log Directory

    To properly set the permissions of /var/log, run the command:
    $ sudo chmod 0755 /var/log
    Rule Medium Severity
  • Restrict Dynamic Mounting and Unmounting of Filesystems

    Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also ca...
    Group
  • Disable Modprobe Loading of USB Storage Driver

    To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the <code>usb-...
    Rule Medium Severity
  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...
    Group
  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> To make sure that the setting is...
    Rule Low Severity
  • Disallow kernel profiling by unprivileged users

    To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> To make sure that the ...
    Rule Low Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...
    Rule Medium Severity
  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Int...
    Group
  • Enable NX or XD Support in the BIOS

    Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section....
    Rule Medium Severity
  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory.
    Group
  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in <code>/boot/loader/e...
    Rule Medium Severity
  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=P</code> to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in <code>/boot/lo...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...
    Group
  • Ensure SELinux Not Disabled in the kernel arguments

    SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of <code>selinux=0</code> from the kernel arguments in that file to prevent SELinux from being disab...
    Rule Medium Severity
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...
    Rule High Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux CoreOS 4 installs on a system and disable ...
    Group
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
  • Enable the NTP Daemon

    As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> prompt, run: <pre> # chroot /host </pre> Run the ...
    Rule Medium Severity
  • Specify a Remote NTP Server

    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured to utilize the services of the <code>chronyd</code...
    Rule Medium Severity
  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
  • Disable SSH Server If Possible

    Instead of using ssh to remotely log in to a cluster node, it is recommended to use <code>oc debug</code> The <code>sshd</code> service can be disabled with the following manifest: <pre> --- apiV...
    Rule High Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...
    Rule Medium Severity
  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
  • Install usbguard Package

    The <code>usbguard</code> package can be installed with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfig...
    Rule Medium Severity
  • Enable the USBGuard Service

    The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig...
    Rule Medium Severity
  • Log USBGuard daemon audit events using Linux Audit

    To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbguard-daemon.conf</code> needs to be set to <code>Lin...
    Rule Low Severity
  • Authorize Human Interface Devices and USB hubs in USBGuard daemon

    To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-interface match-all { 03:*:* 09:00:* }</code> to <code>...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules