I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable the kernel.core_pattern.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
RHEL 9 must be configured to disable the Controller Area Network kernel module.
Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
RHEL 9 must be configured to disable the FireWire kernel module.
Disabling firewire protects the system against exploitation of any flaws in its implementation.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
SRG-OS-000433-GPOS-00193
Group -
RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at expl...Rule Medium Severity -
SRG-OS-000132-GPOS-00067
Group -
RHEL 9 must disable access to network bpf system call from nonprivileged processes.
Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state. Satisfies: SRG-OS-000132-GPOS-00...Rule Medium Severity -
SRG-OS-000132-GPOS-00067
Group -
RHEL 9 must restrict usage of ptrace to descendant processes.
Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable core dump backtraces.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or sy...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable storing core dumps.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or sy...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable core dumps for all users.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable acquiring, saving, and processing core dumps.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must disable the use of user namespaces.
User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.Rule Medium Severity -
SRG-OS-000433-GPOS-00192
Group -
RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The kdump service on RHEL 9 must be disabled.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhau...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
Group -
RHEL 9 must ensure cryptographic verification of vendor software packages.
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware o...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
Group -
RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
SRG-OS-000366-GPOS-00153
Group -
RHEL 9 must check the GPG signature of locally installed software packages before installation.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
SRG-OS-000366-GPOS-00153
Group -
RHEL 9 must have GPG signature verification enabled for all software repositories.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.Rule Medium Severity -
SRG-OS-000437-GPOS-00194
Group -
RHEL 9 must remove all software components after updated versions have been installed.
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.Rule Low Severity -
SRG-OS-000366-GPOS-00153
Group -
RHEL 9 subscription-manager package must be installed.
The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It communicates with backend servers, such...Rule Medium Severity -
SRG-OS-000074-GPOS-00042
Group -
RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using ...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
RHEL 9 must not have the sendmail package installed.
The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead. Satisfies: SRG-OS-000480-GPOS-0...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.