Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Authenticate Zone Transfers
If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dn...Rule Medium Severity -
Disable Dynamic Updates
Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit <code>/etc/named.conf</code>. For each zone speci...Rule Unknown Severity -
Disable Zone Transfers from the Nameserver
Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this...Rule Unknown Severity -
Use Views to Partition External and Internal Information
If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit ...Group -
Run Separate DNS Servers for External and Internal Queries
Is it possible to run external and internal nameservers on separate systems? If so, follow the configuration guidance in this section. On the exter...Group -
Docker Service
The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation fe...Group -
Install the docker Package
The docker package provides necessary software to create containers, which are self-sufficient and self-contained applications using the resource i...Rule Medium Severity -
Enable the Docker service
The docker service is commonly needed to create containers. The <code>docker</code> service can be enabled with the following command: <pre>$ su...Rule Medium Severity -
Ensure SELinux support is enabled in Docker
To enable the SELinux for the Docker service, the Docker service must be configured to run the Docker daemon with <code>--selinux-enabled</code> op...Rule High Severity -
fapolicyd Must be Configured to Limit Access to Users Home Folders
fapolicyd needs be configured so that users cannot give access to their home folders to other users.Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...Group -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Uninstall vsftpd Package
Thevsftpdpackage can be removed with the following command:$ sudo yum erase vsftpd
Rule High Severity -
Disable vsftpd Service
Thevsftpdservice can be disabled with the following command:$ sudo systemctl mask --now vsftpd.service
Rule Medium Severity -
Configure vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is/etc/vsftpd.conf, if that file exists, or/etc/vsftpd/vsftpd.confif it does not.Group -
Disable FTP Uploads if Possible
Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following co...Rule Unknown Severity -
Place the FTP Home Directory on its Own Partition
By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on it...Rule Unknown Severity -
Enable Logging of All FTP Transactions
Add or correct the following configuration options within the <code>vsftpd</code> configuration file, located at <code>/etc/vsftpd/vsftpd.conf</cod...Rule Unknown Severity -
Create Warning Banners for All FTP Users
Edit the vsftpd configuration file, which resides at <code>/etc/vsftpd/vsftpd.conf</code> by default. Add or correct the following configuration ...Rule Medium Severity -
Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applic...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.