Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Secure RPC Server Service (rpcsvcgssd)
The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service ...Rule Unknown Severity -
Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export: <pre> anonuid=<cod...Rule Unknown Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Mount Remote Filesystems with Kerberos Security
Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...Rule Medium Severity -
Mount Remote Filesystems with nodev
Add thenodevoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with noexec
Add thenoexecoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Specify Additional Remote NTP Servers
Additional NTP servers can be specified for time synchronization in the file <code>/etc/ntp.conf</code>. To do so, add additional lines of the fol...Rule Unknown Severity -
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...Rule Low Severity -
Ensure Insecure File Locking is Not Allowed
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients s...Rule Medium Severity -
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control ove...Rule Unknown Severity -
Use Kerberos Security on All Exports
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...Rule Medium Severity -
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...Rule Unknown Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group -
Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...Group -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Vendor Approved Time pools
The list of vendor-approved pool serversValue -
Vendor Approved Time Servers
The list of vendor-approved time serversValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.