Some policies you create provide a list of options for you to specify, enable, or disable. For example, when you create a policy for Linux devices to control when the screen saver locks down an inactive device, you need to configure the timeout in seconds.
Specific policies have nuances that are important to note as you apply them to your fleet. While some policies take effect immediately, others may take 5-10 minutes for the policy update process to run, or require a device logout. We recommend you reference the article for a specific policy if you have concerns.
Below is a list of all Linux policies in ºÚÁϺ£½Ç91Èë¿Ú. Specific instructions for more nuanced policies are linked in the Learn More column. If a Learn More article isn't listed, you can use the basic steps in for help.
Linux Policies
Policy Name | Description | Category | Learn More |
---|---|---|---|
CentOS 7: Additional Process Hardening | Restrict access to core dumps by enabling address space layout randomization (ASLR) and uninstalling prelink packages. | Security, Compliance | Ìý |
Check Disk Encryption | Check a Linux device for Full-Disk or Home-Directory encryption and report the status. | Security, Compliance | Linux Check Disk Encryption Policy |
Configure IPv4 iptables | This policy ensures that IPv4 iptables rules are in place. | ||
Configure IPv6 iptables | This policy ensures that IPv6 iptables rules are in place. | ||
Configure rsyslog | Configure rsyslog so that it is enabled and properly configured on the device. | Ìý | Ìý |
Disable Unused Filesystems | Prevent an unauthorized user from introducing data into or extracting data from a device. IT admins should determine if a filesystem type isn’t necessary, and disable it if it isn’t. Native Linux filesystems are designed to ensure that built-in security controls function as expected. Although non-native filesystems can be used to solve different kinds of problems, they can also lead to unexpected consequences to both the security and functionality of the device. | Security, Compliance | Ìý |
Disable USB Storage | Prevent use of USB mass storage devices, such as flash drives and USB hard drives. | Security, Compliance | Create a Disable USB Storage Policy for Linux |
Enable Time Synchronization | Ensure that time synchronization between all devices in the environment is enabled and properly configured. Time synchronization is an essential part of security and compliance. For example, time synchronization ensures that system logs have consistent timestamps and also helps to verify the public key's expiration date. | Ìý | Ìý |
File Ownership and Permissions | Secure system files for Linux devices. | Ìý | Ìý |
Forbidden Services | Protect devices against unknown vulnerabilities by disabling services that are not required for normal operation. | Security, Compliance | Create a Linux Forbidden Services Policy |
inetd Services | Securely disable inetd, a super-server daemon that provides internet services and passes connections to configured services. | Ìý | |
Lock Screen | Unattended devices that are still active with a user logged in create opportunities for unauthorized access to information and misuse of accounts. You can remotely apply policy settings to lock one inactive system or the entire fleet in your organization using ºÚÁϺ£½Ç91Èë¿Ú's policy framework. | Security, Compliance | Create a Linux Lock Screen Policy |
Network Parameters | Enhance a device’s network security by setting kernel parameters for IP forwarding, packet routing, Internet Control Message Protocol (ICMP) requests, path filtering, and Transmission Control Protocol Sync (TCP SYN) cookies. | Security, Network | Ìý |
Partition and Mount Options | Checks partition and mount options. Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use. | Ìý | Ìý |
Secure Boot Settings | Prevent non-root users from reading the boot parameters and identifying weaknesses in security upon boot. | Security, Compliance | Ìý |
Service Clients | Remove unnecessary clients to minimize the risk involved when the compromise of a service leads to the compromise of the clients who use those services. | Security, Compliance | Ìý |
SSH Connection Timeout | SetÌýthe duration that an inactive SSH connection will remain open. | Ìý | Ìý |
SSH Root Access | Enforce or deny root login via SSH. | Ìý | Ìý |
SSH Server Security Enforcement | Ensure the SSH server is properly configured to enable secure remote access. The settings in this policy only apply if the SSH daemon is installed on the system.Ìý | Ìý | Ìý |