Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify Owner on cron.monthly

    To properly set the owner of /etc/cron.monthly, run the command: 
    $ sudo chown root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Owner on cron.weekly

    To properly set the owner of /etc/cron.weekly, run the command: 
    $ sudo chown root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Owner on crontab

    To properly set the owner of /etc/crontab, run the command: 
    $ sudo chown root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Permissions on cron.d

    To properly set the permissions of /etc/cron.d, run the command: 
    $ sudo chmod 0700 /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Permissions on cron.daily

    To properly set the permissions of /etc/cron.daily, run the command: 
    $ sudo chmod 0700 /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Permissions on cron.hourly

    To properly set the permissions of /etc/cron.hourly, run the command: 
    $ sudo chmod 0700 /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.monthly

    To properly set the permissions of /etc/cron.monthly, run the command: 
    $ sudo chmod 0700 /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.weekly

    To properly set the permissions of /etc/cron.weekly, run the command: 
    $ sudo chmod 0700 /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Permissions on crontab

    To properly set the permissions of /etc/crontab, run the command: 
    $ sudo chmod 0600 /etc/crontab
    Rule Medium Severity
    Show

  • Control Mail Relaying

    Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on t...
    Group
    Show

  • Prevent Unrestricted Mail Relaying

    Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postcon...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
    Show

  • Uninstall nfs-utils Package

    The nfs-utils package can be removed with the following command: 
    $ sudo dnf remove nfs-utils
    Rule Low Severity
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...
    Group
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with eleva...
    Group
    Show

  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...
    Rule Low Severity
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
    Show

  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...
    Rule Unknown Severity
    Show

  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...
    Group
    Show

  • Mount Remote Filesystems with Kerberos Security

    Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with nodev

    Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with noexec

    Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with nosuid

    Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
    Show

  • Use Kerberos Security on All Exports

    Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...
    Rule Medium Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
    Show

  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
    Show

  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
    Show

  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
    Show

  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo dnf remove tftp-server
    Rule High Severity
    Show

  • Remove tftp Daemon

    Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files betw...
    Rule Low Severity
    Show

  • Ensure tftp systemd Service Uses Secure Mode

    If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do s...
    Rule Medium Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print...
    Group
    Show

  • Disable the CUPS Service

    The cups service can be disabled with the following command: 
    $ sudo systemctl mask --now cups.service
    Rule Unknown Severity
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow throug...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Uninstall squid Package

    The squid package can be removed with the following command: 
     $ sudo dnf remove squid
    Rule Unknown Severity
    Show

  • Disable Squid

    The squid service can be disabled with the following command: 
    $ sudo systemctl mask --now squid.service
    Rule Unknown Severity
    Show

  • Network Routing

    A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to ...
    Group
    Show

  • Disable Quagga if Possible

    If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.
    Group
    Show

  • Uninstall quagga Package

    The quagga package can be removed with the following command: 
     $ sudo dnf remove quagga
    Rule Low Severity
    Show

  • SSH is required to be installed

    Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 mea...
    Value
    Show

  • SSH Strong KEX by FIPS

    Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms that are used for methods in cryptography by which cryptographic keys are exch...
    Value
    Show

  • SSH Strong MACs by FIPS

    Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.
    Value
    Show

  • SSH Max Sessions Count

    Specify the maximum number of open sessions permitted.
    Value
    Show

  • SSH Max Keep Alive Count

    Specify the maximum number of idle message counts before session is terminated.
    Value
    Show

  • Install OpenSSH client software

    The openssh-clients package can be installed with the following command: 
    $ sudo dnf install openssh-clients
    Rule Medium Severity
    Show

  • Install the OpenSSH Server Package

    The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules