Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable the virt_transition_userdomain SELinux Boolean
By default, the SELinux boolean <code>virt_transition_userdomain</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>virt_transition_userdomain</code> SELin...Rule Medium Severity -
Disable the xdm_write_home SELinux Boolean
By default, the SELinux boolean <code>xdm_write_home</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>xdm_write_home</code> SELinux boolean, run the foll...Rule Medium Severity -
Disable the xguest_connect_network SELinux Boolean
By default, the SELinux boolean <code>xguest_connect_network</code> is enabled. This setting should be disabled as guest users should not be able to configure <code>NetworkManager</code>. To disab...Rule Medium Severity -
Disable the zoneminder_run_sudo SELinux Boolean
By default, the SELinux boolean <code>zoneminder_run_sudo</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>zoneminder_run_sudo</code> SELinux boolean, ru...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 8 installs on a system and disable softwar...Group -
Disable Avahi Server Software
Theavahi-daemonservice can be disabled with the following command:$ sudo systemctl mask --now avahi-daemon.service
Rule Medium Severity -
Disable Automatic Bug Reporting Tool (abrtd)
The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to syst...Rule Medium Severity -
Verify Group Who Owns cron.daily
To properly set the group owner of/etc/cron.daily, run the command:$ sudo chgrp root /etc/cron.daily
Rule Medium Severity -
Disable Cyrus SASL Authentication Daemon (saslauthd)
The <code>saslauthd</code> service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into...Rule Low Severity -
Name Service Switch does not use NIS
Each call to a function which retrieves data from a system database like the password or group database is handled by the Name Service Switch implementation in the GNU C library. The various servi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules