Guide to the Secure Configuration of Red Hat Enterprise Linux 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv6.conf.all.accept_ra_rtr_pref
Accept router preference in router advertisements?Value -
net.ipv6.conf.all.accept_ra
Accept all router advertisements?Value -
net.ipv6.conf.all.accept_redirects
Toggle ICMP Redirect AcceptanceValue -
net.ipv6.conf.all.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.all.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.all.forwarding
Toggle IPv6 ForwardingValue -
net.ipv6.conf.all.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.all.router_solicitations
Accept all router solicitations?Value -
net.ipv6.conf.default.accept_ra_defrtr
Accept default router in router advertisements?Value -
net.ipv6.conf.default.accept_ra_pinfo
Accept prefix information in router advertisements?Value -
net.ipv6.conf.default.accept_ra_rtr_pref
Accept router preference in router advertisements?Value -
net.ipv6.conf.default.accept_ra
Accept default router advertisements by default?Value -
net.ipv6.conf.default.accept_redirects
Toggle ICMP Redirect Acceptance By DefaultValue -
net.ipv6.conf.default.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.default.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.default.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.default.router_solicitations
Accept all router solicitations by default?Value -
Manually Assign Global IPv6 Address
To manually assign an IP address for an interface, edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </co...Rule Unknown Severity -
Configure Accepting Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ip...Rule Medium Severity -
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w...Rule Unknown Severity -
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ...Rule Unknown Severity -
Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl ...Rule Unknown Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option ha...Rule Medium Severity -
Verify No .forward Files Exist
The.forwardfile specifies an email address to forward the user's mail to.Rule Medium Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...Rule Medium Severity -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...Rule Medium Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
Theusbguardpackage can be installed with the following command:$ sudo dnf install usbguard
Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...Rule Low Severity -
Generate USBGuard Policy
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...Group -
Verify the SSH Private Key Files Have a Passcode
When creating SSH key pairs, always use a passcode. <br> You can create such keys with the following command: <pre>$ sudo ssh-keygen -n [passphrase...Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH Compression Setting
Specify the compression setting for SSH connections.Value -
SSH Privilege Separation Setting
Specify whether and how sshd separates privileges when handling incoming network connections.Value -
SSH LoginGraceTime setting
Configure parameters for how long the servers stays connected before the user has successfully logged inValue -
SSH MaxStartups setting
Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.Value -
Add nosuid Option to /var/log/audit
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log/audit</code>. The SUID and SGID permissi...Rule Medium Severity -
Disable Kernel Image Loading
To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel....Rule Medium Severity -
Verify Group Who Owns /etc/sestatus.conf File
To properly set the group owner of/etc/sestatus.conf, run the command:$ sudo chgrp root /etc/sestatus.conf
Rule Medium Severity -
Verify User Who Owns /etc/sestatus.conf File
To properly set the owner of/etc/sestatus.conf, run the command:$ sudo chown root /etc/sestatus.conf
Rule Medium Severity -
Verify Permissions On /etc/sestatus.conf File
To properly set the permissions of/etc/sestatus.conf, run the command:$ sudo chmod 0644 /etc/sestatus.conf
Rule Medium Severity -
Ensure SELinux Not Disabled in /etc/default/grub
SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kern...Rule Medium Severity -
Verify Owner on cron.daily
To properly set the owner of/etc/cron.daily, run the command:$ sudo chown root /etc/cron.daily
Rule Medium Severity -
Verify Owner on cron.deny
To properly set the owner of/etc/cron.deny, run the command:$ sudo chown root /etc/cron.deny
Rule Medium Severity -
Verify Owner on cron.hourly
To properly set the owner of/etc/cron.hourly, run the command:$ sudo chown root /etc/cron.hourly
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.