Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> to <code>/etc/dconf/db/local.d/locks/00-...Rule Medium Severity -
Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <code>picture-uri</code> to <code>string ''</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For...Rule Medium Severity -
Disable Full User Name on Splash Shield
By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be dis...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Settings
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> to <code>/etc/dconf/db/local.d/locks/00-...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Session Idle Settings
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code> to <code>/etc/dconf/db/local.d/locks/00-security...Rule Medium Severity -
GNOME System Settings
GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do...Group -
Don't define allowed commands in sudoers by means of exclusion
Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications. T...Rule Medium Severity -
Disable Geolocation in GNOME3
<code>GNOME</code> allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the sys...Rule Medium Severity -
Disable Power Settings in GNOME3
By default, <code>GNOME</code> enables a power profile designed for mobile devices with battery usage. While useful for mobile devices, this setting should be disabled for all other systems. To con...Rule Medium Severity -
Disable User Administration in GNOME3
By default, <code>GNOME</code> will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To config...Rule High Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...Group -
Group name dedicated to the use of sudo
Specify the name of the group that should own /usr/bin/sudo.Value -
Sudo - logfile value
Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log.Value -
Sudo - passwd_timeout value
Defines the number of minutes before thesudopassword prompt times out. Defining 0 means no timeout. The default timeout value is 5 minutes.Value -
Sudo - timestamp_timeout value
Defines the number of minutes that can elapse before <code>sudo</code> will ask for a passwd again. If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always pr...Value -
Sudo - umask value
Specify the sudo umask to use. The actual umask value that is used is the union of the user's umask and the sudo umask. The default sudo umask is 0022. This guarantess sudo never lowers the umask w...Value -
Ensure sudo Runs In A Minimal Environment - sudo env_reset
The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Ente...Rule Medium Severity -
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 8, <code>ignore_dot</code> is enabled by defaul...Rule Medium Severity -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXE...Rule High Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.