Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure That the sudo Binary Has the Correct Permissions
To properly set the permissions of/usr/bin/sudo, run the command:$ sudo chmod 4111 /usr/bin/sudo
Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to0740with the following command:$ sudo chmod 0740 /home/USER/.INIT_FILERule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...Group -
Ensure /var/log Located On Separate Partition
System logs are stored in the <code>/var/log</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig...Rule Low Severity -
Ensure tmp.mount Unit Is Enabled
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...Rule Low Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...Group -
Verify Group Who Owns /etc/sudoers.d Directory
To properly set the group owner of/etc/sudoers.d, run the command:$ sudo chgrp root /etc/sudoers.d
Rule Medium Severity -
Verify User Who Owns /etc/sudoers.d Directory
To properly set the owner of/etc/sudoers.d, run the command:$ sudo chown root /etc/sudoers.d
Rule Medium Severity -
Verify Permissions On /etc/sudoers.d Directory
To properly set the permissions of/etc/sudoers.d, run the command:$ sudo chmod 0750 /etc/sudoers.d
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...Rule Medium Severity -
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. T...Rule High Severity -
Modify the System Login Banner for Remote Connections
To configure the system login banner edit <code>/etc/issue.net</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ...Rule Medium Severity -
Verify Group Ownership of System Login Banner
To properly set the group owner of/etc/issue, run the command:$ sudo chgrp root /etc/issue
Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...Group -
Password Hashing algorithm for pam_unix.so
Specify the system default encryption algorithm for encrypting passwords. Defines the hashing algorithm to be used in pam_unix.so.Value -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root she...Rule Medium Severity -
Disable Ctrl-Alt-Del Burst Action
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. <br> <br> To configure the s...Rule High Severity -
Verify /boot/grub2/user.cfg Permissions
File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_logind_session_timeout" use="legacy"></xccdf-1.2:sub>...Rule Medium Severity -
Install the tmux Package
To enable console screen locking, install the <code>tmux</code> package. The <code>tmux</code> package can be installed with the following command: <pre> $ sudo dnf install tmux</pre> A session loc...Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Maximum Root Password Age
Maximum age of password in days for the root accountValue -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Root Account Password Maximum Age
Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...Rule Medium Severity -
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty</code> file. This file lists all devices the root...Rule Medium Severity -
Ensure the Logon Failure Delay is Set Correctly in login.defs
To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in <code>/etc/login.defs</code> to read as follows: ...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurr...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-separated list of directories in the path. <br> ...Group -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...Rule Medium Severity -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The program fails to keep that trust if there is a bug in ...Group -
Ensure AppArmor is installed
AppArmor provide Mandatory Access Controls.Rule Medium Severity -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ sudo dnf install pam_apparmor
Rule Medium Severity -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo aa-enforce /etc/apparmor.d/*</pre> To list unconf...Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>apparmor</code> service can be enabled with the fo...Rule Medium Severity -
Ensure AppArmor is enabled in the bootloader configuration
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LI...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.