I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000423-GPOS-00187
Group -
All RHEL 8 networked systems must have SSH installed.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirem...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must not forward IPv4 source-routed packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must not forward IPv4 source-routed packets by default.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The RHEL 8 operating system must not have accounts configured with blank or null passwords.
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.