Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server
Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the <pre>ldap_tls_r...Rule Medium Severity -
Configure SSSD LDAP Backend to Use TLS For All Transactions
The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the <code>id_provider</code>...Rule High Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
Theusbguardpackage can be installed with the following command:$ sudo yum install usbguard
Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...Rule Low Severity -
Authorize Human Interface Devices in USBGuard daemon
To allow authorization of Human Interface Devices (keyboard, mouse) by USBGuard daemon, add the line <code>allow with-interface match-all { 03:*:* ...Rule Medium Severity -
Authorize Human Interface Devices and USB hubs in USBGuard daemon
To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-inter...Rule Medium Severity -
Authorize USB hubs in USBGuard daemon
To allow authorization of USB hub devices by USBGuard daemon, add line <code>allow with-interface match-all { 09:00:* }</code> to <code>/etc/usbgua...Rule Medium Severity -
Generate USBGuard Policy
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot ...Rule Medium Severity -
Disable graphical user interface
By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-serv...Rule Medium Severity -
Disable X Windows Startup By Setting Default Target
Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accident...Rule Medium Severity -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Red Hat Enterprise Linux 8 operating system...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group -
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...Group -
Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Red Hat Enterprise Linux 8,the RPM Package Manager (...Group -
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.