Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify nftables Service is Enabled
The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service The <code>nftables</code> servic...Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six famil...Rule Medium Severity -
SuSEfirewall2
The SuSEfirewall2 provides a managed firewall.Group -
Uncomplicated Firewall (ufw)
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the ip...Group -
Verify ufw Enabled
Theufwservice can be enabled with the following command:$ sudo systemctl enable ufw.service
Rule Medium Severity -
Uncommon Network Protocols
The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code ...Group -
Disable ATM Support
The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual path...Rule Medium Severity -
Disable CAN Support
The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, ...Rule Medium Severity -
Disable DCCP Support
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. T...Rule Medium Severity -
Disable IEEE 1394 (FireWire) Support
The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the <code>firewire-co...Rule Low Severity -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications ...Rule Low Severity -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with...Rule Medium Severity -
Verify User Who Owns passwd File
To properly set the owner of/etc/passwd, run the command:$ sudo chown root /etc/passwd
Rule Medium Severity -
Wireless Networking
Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless net...Group -
Disable Wireless Through Software Configuration
If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following ...Group -
Disable Bluetooth Service
The <code>bluetooth</code> service can be disabled with the following command: <pre>$ sudo systemctl mask --now bluetooth.service</pre> <pre>$ sud...Rule Medium Severity -
Disable Bluetooth Kernel Module
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate <code>/etc/mo...Rule Medium Severity -
Disable Kernel cfg80211 Module
To configure the system to prevent the <code>cfg80211</code> kernel module from being loaded, add the following line to the file <code>/etc/modpro...Rule Medium Severity -
Disable Kernel iwlmvm Module
To configure the system to prevent the <code>iwlmvm</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe...Rule Medium Severity -
Disable Kernel iwlwifi Module
To configure the system to prevent the <code>iwlwifi</code> kernel module from being loaded, add the following line to the file <code>/etc/modprob...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.