Guide to the Secure Configuration of Red Hat Enterprise Linux 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Limit Password Reuse: password-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Configure the root Account for Failed Password Attempts
This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</c...Rule Medium Severity -
Lock Accounts Must Persist
This rule ensures that the system lock out accounts using <code>pam_faillock.so</code> persist after system reboot. From "pam_faillock" man pages: ...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Configure the tmux Lock Command
To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locki...Rule Medium Severity -
Set existing passwords a period of inactivity before they been locked
Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: <pre...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Password Hashing algorithm
Specify the number of rounds for the system password encryption algorithm. Defines the value set in <code>/etc/pam.d/system-auth</code> and <code>/...Value -
Configure the tmux lock session key binding
To set a key binding for the screen locking in <code>tmux</code> terminal multiplexer, the <code>session-lock</code> command must be bound to a key...Rule Low Severity -
Prevent user from disabling the screen lock
Thetmuxterminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells.Rule Low Severity -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. I...Group -
OpenSC Smart Card Drivers
Choose the Smart Card Driver in use by your organization. <br>For DoD, choose the <code>cac</code> driver. <br>If your driver is not listed and you...Value -
Install the opensc Package For Multifactor Authentication
Theopenscpackage can be installed with the following command:$ sudo dnf install opensc
Rule Medium Severity -
Install the pcsc-lite package
Thepcsc-litepackage can be installed with the following command:$ sudo dnf install pcsc-lite
Rule Medium Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...Rule Medium Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Group Name Used by pam_wheel Group Parameter
pam_wheel module has a parameter called group, which controls which groups can access the su command. This variable holds the valid value for the p...Value -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...Rule Medium Severity -
Verify All Account Password Hashes are Shadowed with SHA512
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptograp...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity -
Set number of Password Hashing Rounds - password-auth
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...Rule Medium Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Verify Group Who Owns /etc/ipsec.conf File
To properly set the group owner of/etc/ipsec.conf, run the command:$ sudo chgrp root /etc/ipsec.conf
Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.secrets File
To properly set the group owner of/etc/ipsec.secrets, run the command:$ sudo chgrp root /etc/ipsec.secrets
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.conf File
To properly set the owner of/etc/ipsec.conf, run the command:$ sudo chown root /etc/ipsec.conf
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.secrets File
To properly set the owner of/etc/ipsec.secrets, run the command:$ sudo chown root /etc/ipsec.secrets
Rule Medium Severity -
Verify Permissions On /etc/ipsec.conf File
To properly set the permissions of/etc/ipsec.conf, run the command:$ sudo chmod 0644 /etc/ipsec.conf
Rule Medium Severity -
Verify Permissions On /etc/ipsec.secrets File
To properly set the permissions of/etc/ipsec.secrets, run the command:$ sudo chmod 0644 /etc/ipsec.secrets
Rule Medium Severity -
Verify Any Configured IPSec Tunnel Connections
Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be ...Rule Medium Severity -
net.ipv6.conf.default.accept_redirects
Toggle ICMP Redirect Acceptance By DefaultValue -
net.ipv6.conf.default.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.default.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.default.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.default.router_solicitations
Accept all router solicitations by default?Value -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command:Rule Medium Severity -
net.ipv4.conf.all.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure...Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be ...Value -
net.ipv4.conf.default.accept_redirects
Disable ICMP Redirect Acceptance?Value -
net.ipv4.conf.default.accept_source_route
Disable IP source routing?Value -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to re...Rule Unknown Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...Group -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...Rule Medium Severity -
Sensible umask
Enter default user umaskValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.