Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure Security of Postfix SSL Certificate

    Create the PKI directory for mail certificates, if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/mail $ sudo chown root:root /etc/pki/t...
    Group
  • Configure Postfix if Necessary

    Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf.
    Group
  • Configure Postfix Resource Usage to Limit Denial of Service Attacks

    Edit <code>/etc/postfix/main.cf</code>. Edit the following lines to configure the amount of system resources Postfix can consume: <pre>default_proc...
    Group
  • Control Mail Relaying

    Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on t...
    Group
  • Enact SMTP Recipient Restrictions

    To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">h...
    Group
  • Enact SMTP Relay Restrictions

    To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">h...
    Group
  • Use TLS for SMTP AUTH

    Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that...
    Group
  • Configure Trusted Networks and Hosts

    Edit <code>/etc/postfix/main.cf</code>, and configure the contents of the <code>mynetworks</code> variable in one of the following ways: <ul> <li>I...
    Group
  • Require SMTP AUTH Before Relaying from Untrusted Clients

    SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses a...
    Group
  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
  • Disable netfs if Possible

    To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs...
    Group
  • Disable Network File Systems (netfs)

    The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these fil...
    Rule Unknown Severity
  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...
    Group
  • Configure All Systems which Use NFS

    The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers.
    Group
  • Make Each System a Client or a Server, not Both

    If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary s...
    Group
  • Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)

    Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never b...
    Group
  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...
    Group
  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules