Red Hat Enterprise Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporar...Rule Medium Severity -
RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
RHEL 8 must require the change of at least four character classes when passwords are changed.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually...Rule Medium Severity -
RHEL 8 passwords must have a minimum of 15 characters.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.
Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise...Rule Medium Severity -
RHEL 8 must automatically expire temporary accounts within 72 hours.
Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the nee...Rule Medium Severity -
RHEL 8 must not have unnecessary accounts.
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and a...Rule Medium Severity -
RHEL 8 must set the umask value to 077 for all local interactive user accounts.
The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number,...Rule Medium Severity -
The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The RHEL 8 System must take appropriate action when an audit processing failure occurs.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The RHEL 8 audit system must audit local events.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
RHEL 8 must resolve audit information before writing to disk.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Low Severity -
RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Medium Severity -
Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
RHEL 8 must enable Linux audit logging for the USBGuard daemon.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditi...Rule Low Severity -
RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
RHEL 8 must have the packages required for offloading audit logs installed.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RH...Rule Medium Severity -
The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RH...Rule Medium Severity -
RHEL 8 must authenticate the remote logging server for off-loading audit logs.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RH...Rule Medium Severity -
RHEL 8 must disable network management of the chrony daemon.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Low Severity -
RHEL 8 must not have the telnet-server package installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule High Severity -
RHEL 8 must enable mitigations against processor-based vulnerabilities.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Low Severity -
RHEL 8 must cover or disable the built-in or attached camera when not in use.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
RHEL 8 must disable the controller area network (CAN) protocol.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Low Severity -
RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...Rule Medium Severity -
A firewall must be installed on RHEL 8.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
RHEL 8 wireless network adapters must be disabled.
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or u...Rule Medium Severity -
RHEL 8 must mount /dev/shm with the nodev option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must mount /dev/shm with the noexec option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must mount /tmp with the noexec option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must mount /var/log with the noexec option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must mount /var/log/audit with the noexec option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must mount /var/tmp with the noexec option.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
RHEL 8 must block unauthorized peripherals before establishing a connection.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drive...Rule Medium Severity -
All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirem...Rule Medium Severity -
The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create th...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.