Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Rules, Groups, and Values defined within the XCCDF Benchmark

  • daemons_enable_cluster_mode SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • Enable automatic signing of all modules

    Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configur...
    Rule Medium Severity
  • Require modules to be validly signed

    Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-...
    Rule Medium Severity
  • Specify the hash to use when signing modules

    This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_ha...
    Rule Medium Severity
  • Specify module signing key to use

    Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and a...
    Rule Medium Severity
  • Sign kernel modules with SHA-512

    This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is availab...
    Rule Medium Severity
  • Enable poison of pages after freeing

    Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if...
    Rule Medium Severity
  • Enable poison without sanity check

    Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This config...
    Rule Medium Severity
  • Use zero for poisoning instead of debugging value

    Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...
    Rule Medium Severity
  • Remove the kernel mapping in user mode

    This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules