Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Remove SSH Server iptables Firewall exception (Unusual)
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall ...Rule Unknown Severity -
Disable SSH Support for Rhosts RSA Authentication
SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. <br><...Rule Medium Severity -
Disable Kerberos Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallow...Rule Medium Severity -
Configure session renegotiation for SSH client
The <code>RekeyLimit</code> parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted ...Rule Medium Severity -
SSH client uses strong entropy to seed (for CSH like shells)
To set up SSH client to use entropy from a high-quality source, make sure that the appropriate shell environment variable is configured. The <code>...Rule Medium Severity -
SSH client uses strong entropy to seed (Bash-like shells)
To set up SSH client to use entropy from a high-quality source, make sure that the appropriate shell environment variable is configured. The <code>...Rule Medium Severity -
Verify the SSH Private Key Files Have a Passcode
When creating SSH key pairs, always use a passcode. <br> You can create such keys with the following command: <pre>$ sudo ssh-keygen -n [passphrase...Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH Compression Setting
Specify the compression setting for SSH connections.Value -
SSH Privilege Separation Setting
Specify whether and how sshd separates privileges when handling incoming network connections.Value -
SSH LoginGraceTime setting
Configure parameters for how long the servers stays connected before the user has successfully logged inValue -
SSH MaxStartups setting
Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.Value -
Set SSH Client Alive Count Max to zero
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.