Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...
    Rule Medium Severity
    Show

  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
    Show

  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
    Show

  • Configure server restrictions for ntpd

    ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use ...
    Rule Medium Severity
    Show

  • Configure ntpd To Run As ntp User

    ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a...
    Rule Medium Severity
    Show

  • Specify a Remote NTP Server

    To specify a remote NTP server for time synchronization, edit the file <code>/etc/ntp.conf</code>. Add or correct the following lines, substituting...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
    Show

  • Uninstall rsync Package

    The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the foll...
    Rule Medium Severity
    Show

  • Ensure rsyncd service is disabled

    The rsyncd service can be disabled with the following command: 
    $ sudo systemctl mask --now rsyncd.service
    Rule Medium Severity
    Show

  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...
    Group
    Show

  • Install tcp_wrappers Package

    When network services are using the <code>xinetd</code> service, the <code>tcp_wrappers</code> package should be installed. The <code>tcp_wrappers<...
    Rule Medium Severity
    Show

  • Uninstall xinetd Package

    The xinetd package can be removed with the following command: 
    $ sudo yum erase xinetd
    Rule Low Severity
    Show

  • Disable xinetd Service

    The xinetd service can be disabled with the following command: 
    $ sudo systemctl mask --now xinetd.service
    Rule Medium Severity
    Show

  • Ensure /etc/hosts.deny is configured

    The file <code>/etc/hosts.deny</code> together with <code>/etc/hosts.allow</code> provides a simple access control mechanism for network services s...
    Rule Medium Severity
    Show

  • Verify Group Ownership of /etc/hosts.allow

    To properly set the group owner of /etc/hosts.allow, run the command: 
    $ sudo chgrp root /etc/hosts.allow
    Rule Medium Severity
    Show

  • Verify Group Ownership of /etc/hosts.deny

    To properly set the group owner of /etc/hosts.deny, run the command: 
    $ sudo chgrp root /etc/hosts.deny
    Rule Medium Severity
    Show

  • Verify Ownership of /etc/hosts.allow

    To properly set the owner of /etc/hosts.allow, run the command: 
    $ sudo chown root /etc/hosts.allow
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/hosts.allow

    To properly set the permissions of /etc/hosts.allow, run the command: 
    $ sudo chmod 0644 /etc/hosts.allow
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/hosts.deny

    To properly set the permissions of /etc/hosts.deny, run the command: 
    $ sudo chmod 0644 /etc/hosts.deny
    Rule Medium Severity
    Show

  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group
    Show

  • Remove NIS Client

    The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...
    Rule Unknown Severity
    Show

  • Uninstall ypserv Package

    The ypserv package can be removed with the following command: 
    $ sudo yum erase ypserv
    Rule High Severity
    Show

  • Disable ypbind Service

    The <code>ypbind</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypbind</code> s...
    Rule Medium Severity
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Uninstall rsh-server Package

    The rsh-server package can be removed with the following command: 
    $ sudo yum erase rsh-server
    Rule High Severity
    Show

  • Uninstall rsh Package

    The rsh package contains the client commands for the rsh services
    Rule Unknown Severity
    Show

  • Disable rexec Service

    The <code>rexec</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a...
    Rule High Severity
    Show

  • Disable rlogin Service

    The <code>rlogin</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as ...
    Rule High Severity
    Show

  • Disable rsh Service

    The <code>rsh</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a s...
    Rule High Severity
    Show

  • Uninstall squid Package

    The squid package can be removed with the following command: 
     $ sudo yum erase squid
    Rule Unknown Severity
    Show

  • Remove Host-Based Authentication Files

    The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following comm...
    Rule High Severity
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...
    Rule High Severity
    Show

  • Remove User Host-Based Authentication Files

    The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these ...
    Rule High Severity
    Show

  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
    Show

  • Uninstall talk-server Package

    The talk-server package can be removed with the following command: 
     $ sudo yum erase talk-server
    Rule Medium Severity
    Show

  • Uninstall talk Package

    The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...
    Rule Medium Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
    Show

  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command: 
    $ sudo yum erase telnet-server
    Rule High Severity
    Show

  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
    Show

  • Disable telnet Service

    Make sure that the activation of the <code>telnet</code> service on system boot is disabled. The <code>telnet</code> socket can be disabled with t...
    Rule High Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...
    Group
    Show

  • TFTP server secure directory

    Specify the directory which is used by TFTP server as a root directory when running in secure mode.
    Value
    Show

  • Disable Squid

    The squid service can be disabled with the following command: 
    $ sudo systemctl mask --now squid.service
    Rule Unknown Severity
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo yum erase tftp-server
    Rule High Severity
    Show

  • Remove tftp Daemon

    Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files betw...
    Rule Low Severity
    Show

  • Disable tftp Service

    The <code>tftp</code> service should be disabled. The <code>tftp</code> service can be disabled with the following command: <pre>$ sudo systemctl ...
    Rule High Severity
    Show

  • Ensure tftp Daemon Uses Secure Mode

    If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do s...
    Rule Medium Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print...
    Group
    Show

  • Uninstall CUPS Package

    The cups package can be removed with the following command: 
    $ sudo yum erase cups
    Rule Unknown Severity
    Show

  • Disable the CUPS Service

    The cups service can be disabled with the following command: 
    $ sudo systemctl mask --now cups.service
    Rule Unknown Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules