Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...Rule Unknown Severity -
Disable Secure RPC Server Service (rpcsvcgssd)
The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service ...Rule Unknown Severity -
Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export: <pre> anonuid=<cod...Rule Unknown Severity -
Mount Remote Filesystems with Kerberos Security
Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...Rule Medium Severity -
Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...Group -
Mount Remote Filesystems with noexec
Add thenoexecoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...Rule Low Severity -
Ensure Insecure File Locking is Not Allowed
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients s...Rule Medium Severity -
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control ove...Rule Unknown Severity -
Use Kerberos Security on All Exports
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...Rule Medium Severity -
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...Rule Unknown Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group -
Vendor Approved Time pools
The list of vendor-approved pool serversValue -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Maximum NTP or Chrony Poll
The maximum NTP or Chrony poll interval number in seconds specified as a power of two.Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.