Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify /boot/grub2/user.cfg User Ownership

    The file <code>/boot/grub2/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To proper...
    Rule Medium Severity
  • Disable merging of slabs with similar size

    The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs se...
    Rule Medium Severity
  • Configure Speculative Store Bypass Mitigation

    Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In...
    Rule Medium Severity
  • Enforce Spectre v2 mitigation

    Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor int...
    Rule High Severity
  • Ensure debug-shell service is not enabled during boot

    systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
  • Disable vsyscalls

    To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. ...
    Rule Medium Severity
  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Verify /boot/grub2/grub.cfg Group Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg Permissions

    File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>,...
    Rule Medium Severity
  • Verify /boot/grub2/user.cfg Permissions

    File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>,...
    Rule Medium Severity
  • cluster_use_execmem SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • Set the Boot Loader Admin Username to a Non-Default Value

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> To maximize the prote...
    Rule High Severity
  • Boot Loader Is Not Installed On Removeable Media

    The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. <code...
    Rule Medium Severity
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Verify the UEFI Boot Loader grub.cfg Group Ownership

    The file <code>/boot/efi/EFI/redhat/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of ...
    Rule Medium Severity
  • Verify /boot/efi/EFI/redhat/user.cfg Group Ownership

    The file <code>/boot/efi/EFI/redhat/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the ...
    Rule Medium Severity
  • Verify the UEFI Boot Loader grub.cfg User Ownership

    The file <code>/boot/efi/EFI/redhat/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the fil...
    Rule Medium Severity
  • Verify /boot/efi/EFI/redhat/user.cfg User Ownership

    The file <code>/boot/efi/EFI/redhat/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. ...
    Rule Medium Severity
  • Verify the UEFI Boot Loader grub.cfg Permissions

    File permissions for <code>/boot/efi/EFI/redhat/grub.cfg</code> should be set to 700. To properly set the permissions of <code>/boot/efi/EFI/redha...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules