Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Install firewalld Package

    The firewalld package can be installed with the following command:
    $ sudo dnf install firewalld
    Rule Medium Severity
  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under t...
    Group
  • Configure the Firewalld Ports

    Configure the <code>firewalld</code> ports to allow approved services to have access to the system. To configure <code>firewalld</code> to open por...
    Rule Medium Severity
  • Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

    Red Hat Enterprise Linux 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zone...
    Rule Medium Severity
  • Configure Firewalld to Restrict Loopback Traffic

    Configure <code>firewalld</code> to restrict loopback traffic to the <code>lo</code> interface. The loopback traffic must be trusted by assigning ...
    Rule Medium Severity
  • Configure Firewalld to Trust Loopback Traffic

    Assign loopback interface to the <code>firewalld</code> <code>trusted</code> zone in order to explicitly allow the loopback traffic in the system. ...
    Rule Medium Severity
  • Set Default firewalld Zone for Incoming Packets

    To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following lin...
    Rule Medium Severity
  • IPSec Support

    Support for Internet Protocol Security (IPsec) is provided with Libreswan.
    Group
  • Install libreswan Package

    The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The <code>...
    Rule Medium Severity
  • net.ipv4.conf.default.rp_filter

    Enables source route verification
    Value
  • daemons_use_tty SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • iptables and ip6tables

    A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default...
    Group
  • Inspect and Activate Default Rules

    View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analog...
    Group
  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command:
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
  • Verify iptables Enabled

    The iptables service can be enabled with the following command:
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
  • Set Default ip6tables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...
    Rule Medium Severity
  • Set configuration for IPv6 loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Set configuration for loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <co...
    Group
  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules