Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Mounting of squashfs
To configure the system to prevent the <code>squashfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/squashfs.conf</code>: <pre>install squashfs /...Rule Low Severity -
Add noexec Option to /boot
The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/boot</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code...Rule Medium Severity -
Disable storing core dumps
To set the runtime status of the <code>kernel.core_pattern</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_pattern=|/bin/false</pre> To make sure that the sett...Rule Medium Severity -
Configure file name of core dumps
To set the runtime status of the <code>kernel.core_uses_pid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_uses_pid=0</pre> To make sure that the setting is p...Rule Medium Severity -
Limit CPU consumption of the Perf system
To set the runtime status of the <code>kernel.perf_cpu_time_max_percent</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1</pre> To make su...Rule Medium Severity -
Disable the gluster_anon_write SELinux Boolean
By default, the SELinux boolean <code>gluster_anon_write</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>gluster_anon_write</code> SELinux boolean, run ...Rule Medium Severity -
Limit sampling frequency of the Perf system
To set the runtime status of the <code>kernel.perf_event_max_sample_rate</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_max_sample_rate=1</pre> To make ...Rule Medium Severity -
Prevent applications from mapping low portion of virtual memory
To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=65536</pre> To make sure that the setting is persi...Rule Medium Severity -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity -
Enable page allocator poisoning
To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>page_poison=1</code> is added ...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning
To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> <...Rule Medium Severity -
Uninstall setroubleshoot-plugins Package
The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroub...Rule Low Severity -
Verify Group Who Owns /etc/selinux Directory
To properly set the group owner of/etc/selinux, run the command:$ sudo chgrp root /etc/selinux
Rule Medium Severity -
Verify User Who Owns /etc/selinux Directory
To properly set the owner of/etc/selinux, run the command:$ sudo chown root /etc/selinux
Rule Medium Severity -
Configure the httpd_builtin_scripting SELinux Boolean
By default, the SELinux boolean <code>httpd_builtin_scripting</code> is enabled. This setting should be disabled if <code>httpd</code> is not running <code>php</code> or some similary scripting lan...Rule Medium Severity -
Ensure No Device Files are Unlabeled by SELinux
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type <code>device_t</code> or <cod...Rule Medium Severity -
Map System Users To The Appropriate SELinux Role
Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ...Rule Medium Severity -
Disable the abrt_anon_write SELinux Boolean
By default, the SELinux boolean <code>abrt_anon_write</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>abrt_anon_write</code> SELinux boolean, run the fo...Rule Medium Severity -
Disable the abrt_upload_watch_anon_write SELinux Boolean
By default, the SELinux boolean <code>abrt_upload_watch_anon_write</code> is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used f...Rule Medium Severity -
Disable the awstats_purge_apache_log_files SELinux Boolean
By default, the SELinux boolean <code>awstats_purge_apache_log_files</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>awstats_purge_apache_log_files</cod...Rule Medium Severity -
Disable the cron_system_cronjob_use_shares SELinux Boolean
By default, the SELinux boolean <code>cron_system_cronjob_use_shares</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>cron_system_cronjob_use_shares</cod...Rule Medium Severity -
Configure the deny_execmem SELinux Boolean
By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_deny_execmem" use="legacy"><...Rule Medium Severity -
Enable the domain_fd_use SELinux Boolean
By default, the SELinux boolean <code>domain_fd_use</code> is enabled. If this setting is disabled, it should be enabled. To enable the <code>domain_fd_use</code> SELinux boolean, run the followin...Rule Medium Severity -
Disable the domain_kernel_load_modules SELinux Boolean
By default, the SELinux boolean <code>domain_kernel_load_modules</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>domain_kernel_load_modules</code> SELin...Rule Medium Severity -
Disable the ftpd_use_nfs SELinux Boolean
By default, the SELinux boolean <code>ftpd_use_nfs</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ftpd_use_nfs</code> SELinux boolean, run the followin...Rule Medium Severity -
Disable the ftpd_use_passive_mode SELinux Boolean
By default, the SELinux boolean <code>ftpd_use_passive_mode</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ftpd_use_passive_mode</code> SELinux boolean...Rule Medium Severity -
Disable the httpd_can_network_connect_cobbler SELinux Boolean
By default, the SELinux boolean <code>httpd_can_network_connect_cobbler</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>httpd_can_network_connect_cobble...Rule Medium Severity -
Disable the httpd_mod_auth_pam SELinux Boolean
By default, the SELinux boolean <code>httpd_mod_auth_pam</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>httpd_mod_auth_pam</code> SELinux boolean, run ...Rule Medium Severity -
Disable the httpd_use_nfs SELinux Boolean
By default, the SELinux boolean <code>httpd_use_nfs</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>httpd_use_nfs</code> SELinux boolean, run the follow...Rule Medium Severity -
Disable the httpd_use_openstack SELinux Boolean
By default, the SELinux boolean <code>httpd_use_openstack</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>httpd_use_openstack</code> SELinux boolean, ru...Rule Medium Severity -
Disable the logging_syslogd_run_nagios_plugins SELinux Boolean
By default, the SELinux boolean <code>logging_syslogd_run_nagios_plugins</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>logging_syslogd_run_nagios_plug...Rule Medium Severity -
Disable the logrotate_use_nfs SELinux Boolean
By default, the SELinux boolean <code>logrotate_use_nfs</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>logrotate_use_nfs</code> SELinux boolean, run th...Rule Medium Severity -
Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean
By default, the SELinux boolean <code>mozilla_plugin_bind_unreserved_ports</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>mozilla_plugin_bind_unreserve...Rule Medium Severity -
Disable the mozilla_plugin_use_gps SELinux Boolean
By default, the SELinux boolean <code>mozilla_plugin_use_gps</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>mozilla_plugin_use_gps</code> SELinux boole...Rule Medium Severity -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can lo...Rule Medium Severity -
Disable Red Hat Network Service (rhnsd)
The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system...Rule Low Severity -
Disable the ssh_sysadm_login SELinux Boolean
By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the ...Rule Medium Severity -
Enable the staff_exec_content SELinux Boolean
By default, the SELinux boolean <code>staff_exec_content</code> is enabled. If this setting is disabled, it should be enabled. To enable the <code>staff_exec_content</code> SELinux boolean, run th...Rule Medium Severity -
Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean
By default, the SELinux boolean <code>telepathy_tcp_connect_generic_network_ports</code> is enabled. This setting should be disabled as <code>telepathy</code> should not connect to any generic netw...Rule Medium Severity -
Disable the unprivuser_use_svirt SELinux Boolean
By default, the SELinux boolean <code>unprivuser_use_svirt</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>unprivuser_use_svirt</code> SELinux boolean, ...Rule Medium Severity -
Disable the virt_transition_userdomain SELinux Boolean
By default, the SELinux boolean <code>virt_transition_userdomain</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>virt_transition_userdomain</code> SELin...Rule Medium Severity -
Disable the xdm_write_home SELinux Boolean
By default, the SELinux boolean <code>xdm_write_home</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>xdm_write_home</code> SELinux boolean, run the foll...Rule Medium Severity -
Disable the xguest_connect_network SELinux Boolean
By default, the SELinux boolean <code>xguest_connect_network</code> is enabled. This setting should be disabled as guest users should not be able to configure <code>NetworkManager</code>. To disab...Rule Medium Severity -
Disable the zoneminder_run_sudo SELinux Boolean
By default, the SELinux boolean <code>zoneminder_run_sudo</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>zoneminder_run_sudo</code> SELinux boolean, ru...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 8 installs on a system and disable softwar...Group -
Disable Avahi Server Software
Theavahi-daemonservice can be disabled with the following command:$ sudo systemctl mask --now avahi-daemon.service
Rule Medium Severity -
Disable Automatic Bug Reporting Tool (abrtd)
The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to syst...Rule Medium Severity -
Verify Group Who Owns cron.daily
To properly set the group owner of/etc/cron.daily, run the command:$ sudo chgrp root /etc/cron.daily
Rule Medium Severity -
Disable Cyrus SASL Authentication Daemon (saslauthd)
The <code>saslauthd</code> service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into...Rule Low Severity -
Name Service Switch does not use NIS
Each call to a function which retrieves data from a system database like the password or group database is handled by the Name Service Switch implementation in the GNU C library. The various servi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules