Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
How to Use This Guide
Readers should heed the following points when using the guide.Group -
Formatting Conventions
Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used to indicate instances where the system administrato...Group -
Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant ...Group -
Reboot Required
A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In ord...Group -
Root Shell Environment Assumed
Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash</code> shell. Commands preceded with a hash mark ...Group -
Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.Group -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.conf</pre> or by default, the path for audit log is...Rule Medium Severity -
Ensure Base Chains Exist for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist i...Rule Medium Severity -
Set nftables Configuration for Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
NetoworkManager DNS Mode
This sets how NetworkManager handles DNS. none - NetworkManager will not modify resolv.conf. default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently...Value -
Allow IMAP Clients to Access the Server
The default <code>firewalld</code> configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping ...Group -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo yum erase cyrus-imapd
Rule Unknown Severity -
389 Directory Server
389 Directory Server is a popular open-source LDAP server for Linux.Group -
Uninstall 389-ds-base Package
The 389-ds-base RPM is not installed by default on a Red Hat Enterprise Linux 7 system. It is needed only by the 389-ds server, not by the clients which use LDAP for authentication. If the system i...Rule Low Severity -
Disable ypserv Service
The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> service can be disabled with the following command:...Rule Medium Severity -
SSH Strong MACs by FIPS
Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.Value -
Remove SSH Server firewalld Firewall exception (Unusual)
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. <br><br> To configure <code>firewa...Rule Unknown Severity -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...Rule High Severity -
Ensure /dev/shm is configured
The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If <code>/dev/shm</code> is not configur...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules