Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-app...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Key Exchange Algorithms

    Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in <code>/etc/ssh/sshd_config</code> <pre>Kex...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Use Only Strong Ciphers

    Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/et...
    Rule Medium Severity
  • Use Only Strong Key Exchange algorithms

    Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms ...
    Rule Medium Severity
  • Prevent remote hosts from connecting to the proxy display

    The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code...
    Rule Medium Severity
  • Strengthen Firewall Configuration if Possible

    If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...
    Group
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD certificate_verification option

    Value of the certificate_verification option in the SSSD config.
    Value
  • SSSD memcache_timeout option

    Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.
    Value
  • SSSD ssh_known_hosts_timeout option

    Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.
    Value
  • Install sssd-ipa Package

    The sssd-ipa package can be installed with the following command:
    $ sudo yum install sssd-ipa
    Rule Medium Severity
  • Install the SSSD Package

    The <code>sssd</code> package should be installed. The <code>sssd</code> package can be installed with the following command: <pre> $ sudo yum inst...
    Rule Medium Severity
  • Enable the SSSD Service

    The SSSD service should be enabled. The <code>sssd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sssd.ser...
    Rule Medium Severity
  • Configure PAM in SSSD Services

    SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code...
    Rule Medium Severity
  • Enable Smartcards in SSSD

    SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...
    Rule Medium Severity
  • Configure SSSD's Memory Cache to Expire

    SSSD's memory cache should be configured to set to expire records after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_mem...
    Rule Medium Severity
  • Configure SSSD to Expire Offline Credentials

    SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules