Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>...
    Rule Medium Severity
  • Enable Encrypted X11 Forwarding

    By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's <...
    Rule High Severity
  • Limit Users' SSH Access

    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users an...
    Rule Unknown Severity
  • Enable SSH Print Last Log

    Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date a...
    Rule Medium Severity
  • Force frequent session key renegotiation

    The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be trans...
    Rule Medium Severity
  • Ensure SSH LoginGraceTime is configured

    The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...
    Rule Medium Severity
  • Set LogLevel to INFO

    The INFO parameter specifices that record login and logout activity will be logged. <br> The default SSH configuration sets the log level to INFO. ...
    Rule Low Severity
  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...
    Rule Medium Severity
  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...
    Rule Medium Severity
  • Set SSH MaxSessions limit

    The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...
    Rule Medium Severity
  • Ensure SSH MaxStartups is configured

    The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The foll...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Key Exchange Algorithms

    Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in <code>/etc/crypto-policies/back-ends/opens...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Disable X Windows

    Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...
    Group
  • SSH server uses strong entropy to seed

    To set up SSH server to use entropy from a high-quality source, edit the <code>/etc/sysconfig/sshd</code> file. The <code>SSH_USE_STRONG_RNG</code>...
    Rule Low Severity
  • Prevent remote hosts from connecting to the proxy display

    The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code...
    Rule Medium Severity
  • Strengthen Firewall Configuration if Possible

    If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...
    Group
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD certificate_verification option

    Value of the certificate_verification option in the SSSD config.
    Value
  • SSSD memcache_timeout option

    Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.
    Value
  • SSSD ssh_known_hosts_timeout option

    Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.
    Value
  • Install sssd-ipa Package

    The sssd-ipa package can be installed with the following command:
    $ sudo yum install sssd-ipa
    Rule Medium Severity
  • Install the SSSD Package

    The <code>sssd</code> package should be installed. The <code>sssd</code> package can be installed with the following command: <pre> $ sudo yum inst...
    Rule Medium Severity
  • Enable the SSSD Service

    The SSSD service should be enabled. The <code>sssd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sssd.ser...
    Rule Medium Severity
  • Certificate status checking in SSSD

    Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-ba...
    Rule Medium Severity
  • Enable Certmap in SSSD

    SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like <code>certmap/testing.test/rule_...
    Rule Medium Severity
  • How to Use This Guide

    Readers should heed the following points when using the guide.
    Group
  • Configure PAM in SSSD Services

    SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code...
    Rule Medium Severity
  • Enable Smartcards in SSSD

    SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...
    Rule Medium Severity
  • SSSD Has a Correct Trust Anchor

    SSSD must have acceptable trust anchor present.
    Rule Medium Severity
  • Configure SSSD's Memory Cache to Expire

    SSSD's memory cache should be configured to set to expire records after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_mem...
    Rule Medium Severity
  • Configure SSSD to Expire Offline Credentials

    SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command: <pre>...
    Rule Medium Severity
  • Configure SSSD to run as user sssd

    SSSD processes should be configured to run as user sssd, not root.
    Rule Medium Severity
  • Configure SSSD to Expire SSH Known Hosts

    SSSD should be configured to expire keys from known SSH hosts after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_kno...
    Rule Medium Severity
  • System Security Services Daemon (SSSD) - LDAP

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD LDAP Backend Client CA Certificate Location

    Path of a directory that contains Certificate Authority certificates.
    Value
  • Configure SSSD LDAP Backend Client CA Certificate

    Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacert</pre> option ...
    Rule Medium Severity
  • Configure SSSD LDAP Backend Client CA Certificate Location

    Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacertdir</pre> opti...
    Rule Medium Severity
  • Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

    Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the <pre>ldap_tls_r...
    Rule Medium Severity
  • Configure SSSD LDAP Backend to Use TLS For All Transactions

    The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the <code>id_provider</code>...
    Rule High Severity
  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
  • Install usbguard Package

    The usbguard package can be installed with the following command:
    $ sudo yum install usbguard
    Rule Medium Severity
  • Enable the USBGuard Service

    The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...
    Rule Medium Severity
  • Log USBGuard daemon audit events using Linux Audit

    To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...
    Rule Low Severity
  • Authorize Human Interface Devices in USBGuard daemon

    To allow authorization of Human Interface Devices (keyboard, mouse) by USBGuard daemon, add the line <code>allow with-interface match-all { 03:*:* ...
    Rule Medium Severity
  • Authorize Human Interface Devices and USB hubs in USBGuard daemon

    To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-inter...
    Rule Medium Severity
  • Authorize USB hubs in USBGuard daemon

    To allow authorization of USB hub devices by USBGuard daemon, add line <code>allow with-interface match-all { 09:00:* }</code> to <code>/etc/usbgua...
    Rule Medium Severity
  • Generate USBGuard Policy

    By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules