III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent special devices on non-root local partitions.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent code from being executed on file systems that contain user home directories.
The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Exe...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent special devices on file systems that are used with removable media.
The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent code from being executed on file systems that are used with removable media.
The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Exe...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Local RHEL 8 initialization files must not execute world-writable programs.
If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the use...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable kernel dumps unless needed.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by e...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable the kernel.core_pattern.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable acquiring, saving, and processing core dumps.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable core dumps for all users.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable storing core dumps.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 8 must disable core dump backtraces.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resol...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a deni...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.