Guide to the Secure Configuration of Red Hat Enterprise Linux 10
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure tmp.mount Unit Is Enabled
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...Rule Low Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical D...Group -
Remove the GDM Package Group
By removing the <code>gdm</code> package, the system no longer has GNOME installed installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the...Rule Medium Severity -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the <pre>dconf update</pre> command. More specific...Rule High Severity -
The operating system must restrict privilege elevation to authorized personnel
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file...Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure That the sudo Binary Has the Correct Permissions
To properly set the permissions of/usr/bin/sudo, run the command:$ sudo chmod 4111 /usr/bin/sudo
Rule Medium Severity -
Ensure sudo Runs In A Minimal Environment - sudo env_reset
The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Ente...Rule Medium Severity -
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 10, <code>ignore_dot</code> is enabled by defau...Rule Medium Severity -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXE...Rule High Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag ...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>use_pty</code> tag exists...Rule Medium Severity -
Ensure Sudo Logfile Exists - sudo logfile
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.Rule Low Severity -
Ensure a dedicated group owns sudo
Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo
The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making ...Rule Medium Severity -
Require Re-Authentication When Using the sudo Command
The sudo <code>timestamp_timeout</code> tag sets the amount of time sudo password prompt waits. The default <code>timestamp_timeout</code> value is 5 minutes. The timestamp_timeout should be config...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.