Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Minimize Modules for HTTP Basic Authentication
The following modules are necessary if this web server will provide content that will be restricted by a password. <br><br> Authentication can be p...Group -
Minimize Configuration Files Included
The <code>Include</code> directive directs <code>httpd</code> to load supplementary configuration files from a provided path. The default configura...Group -
Set httpd ServerTokens Directive to Prod
<code>ServerTokens Prod</code> restricts information in page headers, returning only the word "Apache." <br><br> Add or correct the following direc...Rule Unknown Severity -
Install the Samba Common Package
The <code>samba-common</code> package should be installed. The <code>samba-common</code> package can be installed with the following command: <pre>...Rule Medium Severity -
Minimize Various Optional Components
The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not req...Group -
Use Appropriate Modules to Improve httpd's Security
Among the modules available for <code>httpd</code> are several whose use may improve the security of the web server installation. This section reco...Group -
Deploy mod_security
The <code>security</code> module provides an application level firewall for <code>httpd</code>. Following its installation with the base ruleset, s...Group -
Install mod_security
Install the <code>security</code> module: The <code>mod_security</code> package can be installed with the following command: <pre> $ sudo yum insta...Rule Unknown Severity -
Deploy mod_ssl
Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be conf...Group -
Enable Transport Layer Security (TLS) Encryption
Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in <code>/etc/httpd/conf.modules.d/ssl.conf</code>: <...Rule Medium Severity -
Configure A Valid Server Certificate
Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA.Rule Medium Severity -
Install mod_ssl
Install the <code>mod_ssl</code> module: The <code>mod_ssl</code> package can be installed with the following command: <pre> $ sudo yum install mod...Rule Unknown Severity -
Require Client Certificates
<code>SSLVerifyClient</code> should be set and configured to <code>require</code> by setting the following in <code>/etc/httpd/conf/httpd.conf</cod...Rule Medium Severity -
Restrict Web Server Information Leakage
The <code>ServerTokens</code> and <code>ServerSignature</code> directives determine how much information the web server discloses about the configu...Group -
Disable Cyrus IMAP
If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....Rule Medium Severity -
Configure HTTPD-Served Web Content Securely
Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...Group -
Web Login Banner Verbiage
Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters ...Value -
Configure A Banner Page For Each Website
Configure a login banner for each website when authentication is required for user access.Rule Low Severity -
Each Web Content Directory Must Contain An index.html File
Every <code>DocumentRoot</code> that is configured should have an <code>index.html</code> file that exists. Add an <code>index.html</code> file to ...Rule Low Severity -
Disable Web Content Symbolic Links
For each <code><Directory></code> instance, remove the following: <pre>FollowSymLinks</pre> If symbolic links are allowed, the following can ...Rule High Severity -
Encrypt All File Uploads
Use only secure encrypted logons and connections for uploading files to the web site.Rule High Severity -
Remove .java And .jpp Files
.javaand.jppfiles should not exist and should be removed from the web server.Rule Low Severity -
The robots.txt Files Must Not Exist
Remove any <code>robots.txt</code> files that may exist with any web content. Other methods must be employed if there is information on the web sit...Rule Medium Severity -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo yum erase cyrus-imapd
Rule Unknown Severity -
Ensure Web Content Located on Separate partition
The <code>DocumentRoot</code> directory is used for storing web content and data. Ensure that the <code>DocumentRoot</code> directory exists on a s...Rule Medium Severity -
Use Denial-of-Service Protection Modules
Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shapin...Group -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...Group -
Configure Dovecot if Necessary
If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below.Group -
Allow IMAP Clients to Access the Server
The default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connection...Group -
Enable SSL Support
SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot server in order ...Group -
Configure Dovecot to Use the SSL Certificate file
This option tells Dovecot where to find the mail server's SSL Certificate. <br><br> Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or co...Rule Unknown Severity -
Configure Dovecot to Use the SSL Key file
This option tells Dovecot where to find the mail server's SSL Key. <br><br> Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct th...Rule Unknown Severity -
Disable Plaintext Authentication
To prevent Dovecot from attempting plaintext authentication of clients, edit <code>/etc/dovecot/conf.d/10-auth.conf</code> and add\or correct the f...Rule Unknown Severity -
Enable the SSL flag in /etc/dovecot.conf
To allow clients to make encrypted connections the <code>ssl</code> flag in Dovecot's configuration file needs to be set to <code>yes</code>. <br><...Rule Unknown Severity -
Support Only the Necessary Protocols
Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server to support only ...Group -
Remove the Kerberos Server Package
The <code>krb5-server</code> package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The <code>krb...Rule Medium Severity -
Disable Kerberos by removing host keytab
Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab fi...Rule Medium Severity -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 8 incl...Group -
Configure OpenLDAP Clients
This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...Group -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...Rule Low Severity -
Enable the LDAP Client For Use in Authconfig
To determine if LDAP is being used for authentication, use the following command: <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre> <...Rule Medium Severity -
Configure LDAP Client to Use TLS For All Transactions
This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions. <br><br> To determine if LDA...Rule Medium Severity -
Configure Certificate Directives for LDAP Use of TLS
Ensure a copy of a trusted CA certificate has been placed in the file <code>/etc/pki/tls/CA/cacert.pem</code>. Configure LDAP to enforce TLS use an...Rule Medium Severity -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Uninstall openldap-servers Package
The openldap-servers package is not installed by default on a Red Hat Enterprise Linux 8 system. It is needed only by the OpenLDAP server, not by t...Rule Low Severity -
Disable LDAP Server (slapd)
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.Rule Medium Severity -
Disable Secure RPC Client Service (rpcgssd)
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the...Rule Unknown Severity -
Enact SMTP Recipient Restrictions
To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">h...Group -
Install and Protect LDAP Certificate Files
Create the PKI directory for LDAP certificates if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tl...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.