Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
authlogin_yubikey SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Remove the kernel mapping in user mode
This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...Rule High Severity -
Enable Auditing to Start Prior to the Audit Daemon in zIPL
To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in <code>/boot/loader/entries...Rule Medium Severity -
Extend Audit Backlog Limit for the Audit Daemon in zIPL
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in <code>/boo...Rule Medium Severity -
Ensure all zIPL boot entries are BLS compliant
Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that <code>/etc/zipl.conf</code> doesn't contain <code>i...Rule Medium Severity -
Ensure zIPL bootmap is up to date
Make sure that <code>/boot/bootmap</code> is up to date.<br> Every time a boot entry or zIPL configuration is changed <code>/boot/bootmap</code> ne...Rule Medium Severity -
Ensure SELinux Not Disabled in zIPL
To ensure SELinux is not disabled at boot time, check that no boot entry in <code>/boot/loader/entries/*.conf</code> has <code>selinux=0</code> inc...Rule Medium Severity -
Enable page allocator poisoning in zIPL
To enable poisoning of free pages, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>page_poison=1</code> included...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning in zIPL
To enable poisoning of SLUB/SLAB objects, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>slub_debug=P</code> in...Rule Medium Severity -
Ensure debug-shell service is not enabled in zIPL
systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once e...Rule Medium Severity -
Disable vsyscalls in zIPL
To disable use of virtual syscalls, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>vsyscall=none</code> include...Rule Medium Severity -
Protect Random-Number Entropy Pool
The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a re...Group -
Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
For each solid-state drive on the system, run:# echo 0 > /sys/block/DRIVE/queue/add_random
Rule Medium Severity -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Key and certificate for kernel module signing
The private key and certificate to use when signing modules during kernel build process. On systems where the OpenSSL ENGINE_pkcs11 is functional —...Value -
Kernel panic timeout
The time, in seconds, to wait until a reboot occurs. If the value is <code>0</code> the system never reboots. If the value is less than <code>0</co...Value -
Do not allow ACPI methods to be inserted/replaced at run time
This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kerne...Rule Low Severity -
Disable kernel support for MISC binaries
Enabling <code>CONFIG_BINFMT_MISC</code> makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for prog...Rule Medium Severity -
Enable support for BUG()
Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal c...Rule Medium Severity -
Disable compatibility with brk()
Enabling compatiliby with <code>brk()</code> allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the c...Rule Medium Severity -
Disable the 32-bit vDSO
Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segm...Rule Low Severity -
Enable checks on credential management
Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs t...Rule Low Severity -
httpd_anon_write SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Disable kernel debugfs
<code>debugfs</code> is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and wri...Rule Low Severity -
Enable checks on linked list manipulation
Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at <code>...Rule Low Severity -
Enable checks on notifier call chains
Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unreg...Rule Low Severity -
Enable checks on scatter-gather (SG) table operations
Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The conf...Rule Low Severity -
Configure low address space to protect from user allocation
This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, bu...Rule Medium Severity -
Disable /dev/kmem virtual device support
Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To chec...Rule Low Severity -
Disable hibernation
Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it ...Rule Medium Severity -
Disable IA32 emulation
Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/con...Rule Medium Severity -
Disable the IPv6 protocol
Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check...Rule Medium Severity -
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot b...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern...Rule Medium Severity -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the ...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configur...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-...Rule Medium Severity -
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_ha...Rule Medium Severity -
Specify module signing key to use
Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and a...Rule Medium Severity -
Sign kernel modules with SHA-512
This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is availab...Rule Medium Severity -
Enable poison without sanity check
Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This config...Rule Medium Severity -
Use zero for poisoning instead of debugging value
Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...Rule Medium Severity -
httpd_run_ipa SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Kernel panic oops
Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was u...Rule Medium Severity -
Kernel panic timeout
Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeo...Rule Medium Severity -
Disable support for /proc/kkcore
Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. ...Rule Low Severity -
Randomize the address of the kernel image (KASLR)
In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and...Rule Medium Severity -
Randomize the kernel memory sections
Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available fro...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.