Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to delay execution of processes. If these files exist an...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the follo...Rule Unknown Severity -
Disable DHCP Client in ifcfg
For each interface on the system (e.g. eth0), edit <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code> and make the following changes: <ul> <li> Correct the BOOTPROTO line t...Rule Unknown Severity -
Authenticate Zone Transfers
If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the ...Rule Medium Severity -
Configure Dovecot to Use the SSL Certificate file
This option tells Dovecot where to find the mail server's SSL Certificate. <br> <br> Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct the following line (<i>note: the p...Rule Unknown Severity -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
Configure Error Log Format
<code>LogFormat</code> should be enabled and set to the following in <code>/etc/httpd/conf/httpd.conf</code>: <pre>LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combin...Rule Medium Severity -
Configure The Number of Allowed Simultaneous Requests
The <code>MaxKeepAliveRequests</code> directive should be set and configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_max_keepalive_requests" use="legacy"></xccdf-1.2:sub> or...Rule Medium Severity -
Configure firewall to Allow Access to the Web Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 80 traffic, one must edit <code>/etc/sysconfig/iptables</code> ...Rule Low Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/
To properly set the permissions of/etc/http/conf.d/*, run the command:$ sudo chmod 0640 /etc/http/conf.d/*
Rule Unknown Severity -
HTTPD Log Files Must Be Owned By Root
All <code>httpd</code> logs must be owned by root user and group. By default, the path for httpd logs is <code>/var/log/httpd/</code> To properly set the owner of <code>/var/log/httpd</code>, run ...Rule Medium Severity -
Limit Available Methods
Web server methods are defined in section 9 of RFC 2616 ( <a href="http://www.ietf.org/rfc/rfc2616.txt">http://www.ietf.org/rfc/rfc2616.txt</a>). If a web server does not require the implementa...Rule Unknown Severity -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap-clients</code> package can be removed wit...Rule Low Severity -
Minimize Web Server Loadable Modules
A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disable...Group -
Install mod_security
Install thesecuritymodule: Themod_securitypackage can be installed with the following command:$ sudo yum install mod_security
Rule Unknown Severity -
Deploy mod_ssl
Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content. <br> ...Group -
Enable Transport Layer Security (TLS) Encryption
Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in <code>/etc/httpd/conf.modules.d/ssl.conf</code>: <pre>SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1<...Rule Medium Severity -
Install mod_ssl
Install themod_sslmodule: Themod_sslpackage can be installed with the following command:$ sudo yum install mod_ssl
Rule Unknown Severity -
Require Client Certificates
SSLVerifyClientshould be set and configured torequireby setting the following in/etc/httpd/conf/httpd.conf:SSLVerifyClient require
Rule Medium Severity -
Set httpd ServerTokens Directive to Prod
<code>ServerTokens Prod</code> restricts information in page headers, returning only the word "Apache." <br> <br> Add or correct the following directive in <code>/etc/httpd/conf/httpd.conf...Rule Unknown Severity -
Disable Web Content Symbolic Links
For each <code><Directory></code> instance, remove the following: <pre>FollowSymLinks</pre> If symbolic links are allowed, the following can be added for each <code><Directory></code> i...Rule High Severity -
The robots.txt Files Must Not Exist
Remove any <code>robots.txt</code> files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and pu...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Prevent Unrestricted Mail Relaying
Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetwork...Rule Medium Severity -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo yum erase nfs-utils
Rule Low Severity -
Uninstall rpcbind Package
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...Rule Low Severity -
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. Howeve...Group -
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS req...Rule Unknown Severity -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Verify Permissions On /etc/chrony.keys File
To properly set the permissions of/etc/chrony.keys, run the command:$ sudo chmod 0640 /etc/chrony.keys
Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Specify a Remote NTP Server
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 8 system can be configured to utilize the services of the <code>chronyd</code> NTP d...Rule Medium Severity -
Verify Group Who Owns /etc/chrony.keys File
To properly set the group owner of/etc/chrony.keys, run the command:$ sudo chgrp chrony /etc/chrony.keys
Rule Medium Severity -
Verify User Who Owns /etc/chrony.keys File
To properly set the owner of/etc/chrony.keys, run the command:$ sudo chown root /etc/chrony.keys
Rule Medium Severity -
Disable rlogin Service
The <code>rlogin</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xin...Rule High Severity -
Disable telnet Service
Make sure that the activation of the <code>telnet</code> service on system boot is disabled. The <code>telnet</code> socket can be disabled with the following command: <pre>$ sudo systemctl mask -...Rule High Severity -
Ensure tftp Daemon Uses Secure Mode
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, ensure <code>/etc/xinetd.d/tftp</code> includes...Rule Medium Severity -
Uninstall squid Package
Thesquidpackage can be removed with the following command:$ sudo yum erase squid
Rule Unknown Severity -
Uninstall quagga Package
Thequaggapackage can be removed with the following command:$ sudo yum erase quagga
Rule Low Severity -
Uninstall Samba Package
Thesambapackage can be removed with the following command:$ sudo yum erase samba
Rule Unknown Severity -
Uninstall net-snmp Package
Thenet-snmppackage provides the snmpd service. Thenet-snmppackage can be removed with the following command:$ sudo yum erase net-snmp
Rule Unknown Severity -
Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP...Group -
Ensure Default SNMP Password Is Not Used
Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of <code>public</code> and <code>private</code>. This profile configures new read-only community string to <co...Rule High Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. Thesshdservice can be enabled with the following command:$ sudo systemctl enable sshd.service
Rule Medium Severity -
Configure session renegotiation for SSH client
The <code>RekeyLimit</code> parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limi...Rule Medium Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules