Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Install the Samba Common Package

    The <code>samba-common</code> package should be installed. The <code>samba-common</code> package can be installed with the following command: <pre>...
    Rule Medium Severity
    Show

  • Uninstall net-snmp Package

    The <code>net-snmp</code> package provides the snmpd service. The <code>net-snmp</code> package can be removed with the following command: <pre> $...
    Rule Unknown Severity
    Show

  • SSH Strong MACs by FIPS

    Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.
    Value
    Show

  • Install the OpenSSH Server Package

    The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <...
    Rule Medium Severity
    Show

  • Verify and Correct Ownership with RPM

    The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system ...
    Rule High Severity
    Show

  • Install the dracut-fips-aesni Package

    To enable FIPS on system that support the Advanced Encryption Standard (AES) or New Instructions (AES-NI) engine, the system requires that the <cod...
    Rule Medium Severity
    Show

  • Enable FIPS Mode in GRUB2

    To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands: <pr...
    Rule High Severity
    Show

  • Ensure /dev/shm is configured

    The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...
    Rule Low Severity
    Show

  • Install sudo Package

    The sudo package can be installed with the following command: 
    $ sudo dnf install sudo
    Rule Medium Severity
    Show

  • Ensure gnutls-utils is installed

    The gnutls-utils package can be installed with the following command: 
    $ sudo dnf install gnutls-utils
    Rule Medium Severity
    Show

  • Updating Software

    The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...
    Group
    Show

  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
    Show

  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
    Show

  • Install audispd-plugins Package

    The audispd-plugins package can be installed with the following command: 
    $ sudo dnf install audispd-plugins
    Rule Medium Severity
    Show

  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The <code>syslog-ng-core</code> package can be installed with the following command: <pre> $ ...
    Rule Medium Severity
    Show

  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Group
    Show

  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity
    Show

  • Record Attempts to Alter Logon and Logout Events - faillock

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity
    Show

  • Type of hostname to record the audit event

    Type of hostname to record the audit event
    Value
    Show

  • Set type of computer node name logging in audit logs

    To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:su...
    Rule Medium Severity
    Show

  • Perform general configuration of Audit for OSPP

    Configure some basic <code>Audit</code> parameters specific for OSPP profile. In particular, configure <code>Audit</code> to watch for direct modif...
    Rule Medium Severity
    Show

  • Restrict unprivileged access to the kernel syslog

    Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at...
    Rule Medium Severity
    Show

  • Ensure Log Files Are Owned By Appropriate Group

    The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of ...
    Rule Medium Severity
    Show

  • Ensure logrotate is Installed

    logrotate is installed by default. The <code>logrotate</code> package can be installed with the following command: <pre> $ sudo dnf install logrota...
    Rule Medium Severity
    Show

  • Install firewalld Package

    The firewalld package can be installed with the following command: 
    $ sudo dnf install firewalld
    Rule Medium Severity
    Show

  • Dectivate firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffi...
    Group
    Show

  • Install iptables-nft Package

    The iptables-nft package can be installed with the following command: 
    $ sudo dnf install iptables-nft
    Rule Medium Severity
    Show

  • Network Manager

    The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.
    Group
    Show

  • NetoworkManager DNS Mode

    This sets how NetworkManager handles DNS. none - NetworkManager will not modify resolv.conf. default - NetworkManager will update /etc/resolv.con...
    Value
    Show

  • Verify that All World-Writable Directories Have Sticky Bits Set

    When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky b...
    Rule Medium Severity
    Show

  • Verify Permissions on group File

    To properly set the permissions of /etc/group, run the command: 
    $ sudo chmod 0644 /etc/group
    Rule Medium Severity
    Show

  • Add nosuid Option to /var

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var</code>. The SUID and SGID permissions should...
    Rule Medium Severity
    Show

  • Install libselinux Package

    The libselinux package can be installed with the following command: 
    $ sudo dnf install libselinux
    Rule High Severity
    Show

  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
    Show

  • Install fapolicyd Package

    The fapolicyd package can be installed with the following command: 
    $ sudo dnf install fapolicyd
    Rule Medium Severity
    Show

  • 389 Directory Server

    389 Directory Server is a popular open-source LDAP server for Linux.
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules