Guide to the Secure Configuration of Red Hat Enterprise Linux 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Admin Username to a Non-Default Value
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> To maximize the protection, select a password-protected superu...Rule Medium Severity -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...Rule High Severity -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Key and certificate for kernel module signing
The private key and certificate to use when signing modules during kernel build process. On systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512 In the latter...Value -
Kernel panic timeout
The time, in seconds, to wait until a reboot occurs. If the value is0the system never reboots. If the value is less than0the system reboots immediately.Value -
Add nosuid Option to /var/tmp
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions should not be required in these world-writable direc...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...Group -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The conf...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available a...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for...Rule Medium Severity -
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"></xccdf-1.2:sub> as the hash func...Rule Medium Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Ensure All World-Writable Directories Are Owned by root User
All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files...Rule Medium Severity -
Manually Assign Global IPv6 Address
To manually assign an IP address for an interface, edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>. Add or correct the following line (substituting the co...Rule Unknown Severity -
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0</pre> To mak...Rule Unknown Severity -
Configure Accepting Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> To make sure that th...Rule Medium Severity -
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0</pre> To make ...Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.