DISA STIG for Red Hat Enterprise Linux CoreOS
Rules and Groups employed by this XCCDF Profile
-
systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging ...Group -
Verify Group Who Owns the system journal
' To properly set the group owner of <code>/var/log/journal/.*/system.journal</code>, run the command: <pre>$ sudo chgrp systemd-journal /var/log/j...Rule Medium Severity -
Verify Owner on the system journal
' To properly set the owner of <code>/var/log/journal/.*/system.journal</code>, run the command: <pre>$ sudo chown root /var/log/journal/.*/system....Rule Medium Severity -
Verify Permissions on the system journal
To properly set the permissions of <code>/var/log/journal/.*/system.journal</code>, run the command: <pre>$ sudo chmod 0640 /var/log/journal/.*/sy...Rule Medium Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...Group -
Verify Permissions on Files within /var/log Directory
The/var/logdirectory contains files with logs of error messages in the system and should only be accessed by authorized personnel.Group -
Verify Group Who Owns /var/log Directory
To properly set the group owner of/var/log, run the command:$ sudo chgrp root /var/log
Rule Medium Severity -
Verify User Who Owns /var/log Directory
To properly set the owner of/var/log, run the command:$ sudo chown root /var/log
Rule Medium Severity -
Verify Permissions on /var/log Directory
To properly set the permissions of/var/log, run the command:$ sudo chmod 0755 /var/log
Rule Medium Severity -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...Group -
Disable Modprobe Loading of USB Storage Driver
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. ...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...Rule Low Severity -
Disallow kernel profiling by unprivileged users
To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel....Rule Low Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...Rule Medium Severity -
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, th...Group -
Enable NX or XD Support in the BIOS
Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. Th...Rule Medium Severity -
Memory Poisoning
Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of info...Group -
Enable page allocator poisoning
To enable poisoning of free pages, add the argument <code>page_poison=1</code> to all BLS (Boot Loader Specification) entries ('options' line) for ...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning
To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=P</code> to all BLS (Boot Loader Specification) entries ('options' line...Rule Medium Severity -
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...Group -
Ensure SELinux Not Disabled in the kernel arguments
SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of <code>selinux=0</code> from the kernel argument...Rule Medium Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...Group -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Enable the NTP Daemon
As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> ...Rule Medium Severity -
Specify a Remote NTP Server
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured ...Rule Medium Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Disable SSH Server If Possible
Instead of using ssh to remotely log in to a cluster node, it is recommended to use <code>oc debug</code> The <code>sshd</code> service can be di...Rule High Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...Rule Medium Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
The <code>usbguard</code> package can be installed with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: M...Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following manifest: <pre> --- apiVersion: machin...Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...Rule Low Severity -
Authorize Human Interface Devices and USB hubs in USBGuard daemon
To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-inter...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.