Guide to the Secure Configuration of Red Hat Enterprise Linux 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Uninstall rsync Package
The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync-daemon</code> package can be removed with t...Rule Medium Severity -
Ensure rsyncd service is disabled
Thersyncdservice can be disabled with the following command:$ sudo systemctl mask --now rsyncd.service
Rule Medium Severity -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...Group -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo dnf remove xinetd
Rule Low Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Disable rexec Service
The <code>rexec</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a...Rule High Severity -
Verify User Who Owns Backup shadow File
To properly set the group owner of/etc/shadow-, run the command:$ sudo chgrp root /etc/shadow-
Rule Medium Severity -
Verify Group Who Owns group File
To properly set the group owner of/etc/group, run the command:$ sudo chgrp root /etc/group
Rule Medium Severity -
Verify Group Who Owns gshadow File
To properly set the group owner of/etc/gshadow, run the command:$ sudo chgrp root /etc/gshadow
Rule Medium Severity -
Verify Group Who Owns passwd File
To properly set the group owner of/etc/passwd, run the command:$ sudo chgrp root /etc/passwd
Rule Medium Severity -
Verify Group Who Owns shadow File
To properly set the group owner of/etc/shadow, run the command:$ sudo chgrp root /etc/shadow
Rule Medium Severity -
Verify Group Who Owns /etc/shells File
To properly set the group owner of/etc/shells, run the command:$ sudo chgrp root /etc/shells
Rule Medium Severity -
Verify User Who Owns Backup group File
To properly set the owner of/etc/group-, run the command:$ sudo chown root /etc/group-
Rule Medium Severity -
Verify User Who Owns Backup gshadow File
To properly set the owner of/etc/gshadow-, run the command:$ sudo chown root /etc/gshadow-
Rule Medium Severity -
Record Execution Attempts to Run ACL Privileged Commands
At a minimum, the audit system should collect the execution of ACL privileged commands for all users and root.Group -
Ensure /var/tmp Located On Separate Partition
The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volum...Rule Medium Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...Group -
Disable the GNOME3 Login Restart and Shutdown Buttons
In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown...Rule High Severity -
Disable the GNOME3 Login User List
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This fu...Rule Medium Severity -
Enable the GNOME3 Screen Locking On Smartcard Removal
In the default graphical environment, screen locking on smartcard removal can be enabled by setting <code>removal-action</code> to <code>'lock-scre...Rule Medium Severity -
Disable GDM Automatic Login
The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to a...Rule High Severity -
Disable GDM Guest Login
The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to logi...Rule High Severity -
GNOME Media Settings
GNOME media settings that apply to the graphical interface.Group -
Disable GNOME3 Automounting
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Medium Severity -
Disable GNOME3 Automount Opening
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Medium Severity -
Disable GNOME3 Automount running
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Low Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...Group -
Screensaver Inactivity timeout
Choose allowed duration (in seconds) of inactive graphical sessionsValue -
Screensaver Lock Delay
Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication promptValue -
Enable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code...Rule Medium Severity -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...Rule Medium Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Group name dedicated to the use of sudo
Specify the name of the group that should own /usr/bin/sudo.Value -
Sudo - logfile value
Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log.Value -
Set GNOME3 Screensaver Lock Delay After Activation Period
To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <co...Rule Medium Severity -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <c...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enab...Rule Medium Severity -
Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <code>picture-uri</code> to <code>string ''</code> in <code>/etc...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Settings
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-del...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Session Idle Settings
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code...Rule Medium Severity -
GNOME System Settings
GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform a...Group -
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
By default, <code>GNOME</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the...Rule High Severity -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed...Rule Medium Severity -
Don't define allowed commands in sudoers by means of exclusion
Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a...Rule Medium Severity -
Don't target root user in the sudoers file
The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to expl...Rule Medium Severity -
Ensure invoking users password for privilege escalation when using sudo
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validate...Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Install cryptsetup Package
Thecryptsetuppackage can be installed with the following command:$ sudo dnf install cryptsetup
Rule Medium Severity -
Ensure gnutls-utils is installed
Thegnutls-utilspackage can be installed with the following command:$ sudo dnf install gnutls-utils
Rule Medium Severity -
Install libdnf-plugin-subscription-manager Package
The <code>libdnf-plugin-subscription-manager</code> package can be installed with the following command: <pre> $ sudo dnf install libdnf-plugin-sub...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.