Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Sudo - umask value

    Specify the sudo umask to use. The actual umask value that is used is the union of the user's umask and the sudo umask. The default sudo umask is 0...
    Value
    Show

  • Install sudo Package

    The sudo package can be installed with the following command: 
    $ sudo dnf install sudo
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sudoers.d Directory

    To properly set the group owner of /etc/sudoers.d, run the command: 
    $ sudo chgrp root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers.d Directory

    To properly set the owner of /etc/sudoers.d, run the command: 
    $ sudo chown root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers.d Directory

    To properly set the permissions of /etc/sudoers.d, run the command: 
    $ sudo chmod 0750 /etc/sudoers.d
    Rule Medium Severity
    Show

  • Uninstall gssproxy Package

    The gssproxy package can be removed with the following command: 
    $ sudo dnf remove gssproxy
    Rule Medium Severity
    Show

  • Action for auditd to take when disk errors

    'The setting for disk_error_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|hal...
    Value
    Show

  • Action for auditd to take when disk is full

    'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|halt...
    Value
    Show

  • Auditd priority for flushing data to disk

    The setting for flush in /etc/audit/auditd.conf
    Value
    Show

  • Number of Record to Retain Before Flushing to Disk

    The setting for freq in /etc/audit/auditd.conf
    Value
    Show

  • Maximum audit log file size for auditd

    The setting for max_log_file in /etc/audit/auditd.conf
    Value
    Show

  • Action for auditd to take when log files reach their maximum size

    The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available: <br>ignore - audit daemon does nothing. <br>sys...
    Value
    Show

  • Type of hostname to record the audit event

    Type of hostname to record the audit event
    Value
    Show

  • Number of log files for auditd to retain

    The setting for num_logs in /etc/audit/auditd.conf
    Value
    Show

  • Size remaining in disk space before prompting space_left_action

    The setting for space_left (MB) in /etc/audit/auditd.conf
    Value
    Show

  • Action for auditd to take when disk space just starts to run low

    The setting for space_left_action in /etc/audit/auditd.conf
    Value
    Show

  • The percentage remaining in disk space before prompting space_left_action

    The setting for space_left as a percentage in /etc/audit/auditd.conf
    Value
    Show

  • Configure a Sufficiently Large Partition for Audit Logs

    The Red Hat Enterprise Linux 10 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records whe...
    Rule Medium Severity
    Show

  • Configure auditd to use audispd's syslog plugin

    To configure the <code>auditd</code> service to use the <code>syslog</code> plug-in of the <code>audispd</code> audit event multiplexor, set the <c...
    Rule Medium Severity
    Show

  • Configure auditd Disk Error Action on Disk Error

    The <code>auditd</code> service can be configured to take an action when there is a disk error. Edit the file <code>/etc/audit/auditd.conf</code>. ...
    Rule Medium Severity
    Show

  • Uninstall iprutils Package

    The iprutils package can be removed with the following command: 
    $ sudo dnf remove iprutils
    Rule Medium Severity
    Show

  • Uninstall tuned Package

    The tuned package can be removed with the following command: 
    $ sudo dnf remove tuned
    Rule Medium Severity
    Show

  • Updating Software

    The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...
    Group
    Show

  • Install dnf-automatic Package

    The dnf-automatic package can be installed with the following command: 
    $ sudo dnf install dnf-automatic
    Rule Medium Severity
    Show

  • Ensure dnf Removes Previous Package Versions

    <code>dnf</code> should be configured to remove previous software components after new versions have been installed. To configure <code>dnf</code> ...
    Rule Low Severity
    Show

  • Configure dnf-automatic to Install Available Updates Automatically

    To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates...
    Rule Medium Severity
    Show

  • Ensure that Root's Path Does Not Include World or Group-Writable Directories

    For each element in root's path, run: 
    # ls -ld DIR
    and ensure that write permissions are disabled for group and other.
    Rule Medium Severity
    Show

  • Enable the auditadm_exec_content SELinux Boolean

    By default, the SELinux boolean <code>auditadm_exec_content</code> is enabled. If this setting is disabled, it should be enabled. To enable the <c...
    Rule Medium Severity
    Show

  • Disable the authlogin_nsswitch_use_ldap SELinux Boolean

    By default, the SELinux boolean <code>authlogin_nsswitch_use_ldap</code> is disabled. If this setting is enabled, it should be disabled. To disabl...
    Rule Medium Severity
    Show

  • Disable the authlogin_radius SELinux Boolean

    By default, the SELinux boolean <code>authlogin_radius</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...
    Rule Medium Severity
    Show

  • Configure the deny_execmem SELinux Boolean

    By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproj...
    Rule Medium Severity
    Show

  • Enable the kerberos_enabled SELinux Boolean

    By default, the SELinux boolean <code>kerberos_enabled</code> is enabled. If this setting is disabled, it should be enabled to allow confined appli...
    Rule Medium Severity
    Show

  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...
    Group
    Show

  • Uninstall dnsmasq Package

    dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services. <br> The <code>dns...
    Rule Low Severity
    Show

  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on R...
    Group
    Show

  • All GIDs referenced in /etc/passwd must be defined in /etc/group

    Add a group to the system for each GID referenced without a corresponding group.
    Rule Low Severity
    Show

  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
    Show

  • Ensure There Are No Accounts With Blank or Null Passwords

    Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...
    Rule High Severity
    Show

  • Verify No .forward Files Exist

    The .forward file specifies an email address to forward the user's mail to.
    Rule Medium Severity
    Show

  • Verify Group Who Owns Backup shadow File

    To properly set the owner of /etc/shadow-, run the command: 
    $ sudo chown root /etc/shadow-
    Rule Medium Severity
    Show

  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command: 
    $ sudo chown root /etc/group
    Rule Medium Severity
    Show

  • Verify User Who Owns gshadow File

    To properly set the owner of /etc/gshadow, run the command: 
    $ sudo chown root /etc/gshadow
    Rule Medium Severity
    Show

  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command: 
    $ sudo chown root /etc/passwd
    Rule Medium Severity
    Show

  • Verify User Who Owns shadow File

    To properly set the owner of /etc/shadow, run the command: 
    $ sudo chown root /etc/shadow
    Rule Medium Severity
    Show

  • Verify Who Owns /etc/shells File

    To properly set the owner of /etc/shells, run the command: 
    $ sudo chown root /etc/shells
    Rule Medium Severity
    Show

  • Verify Group Who Owns Backup passwd File

    To properly set the group owner of /etc/passwd-, run the command: 
    $ sudo chgrp root /etc/passwd-
    Rule Medium Severity
    Show

  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
    Show

  • Application Whitelisting Daemon

    Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...
    Group
    Show

  • Install fapolicyd Package

    The fapolicyd package can be installed with the following command: 
    $ sudo dnf install fapolicyd
    Rule Medium Severity
    Show

  • Enable the File Access Policy Service

    The File Access Policy service should be enabled. The <code>fapolicyd</code> service can be enabled with the following command: <pre>$ sudo system...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules