Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • McAfee Endpoint Security for Linux (ENSL)

    McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems.
    Group
  • Install McAfee Endpoint Security for Linux (ENSL)

    Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of v...
    Rule Medium Severity
  • Ensure McAfee Endpoint Security for Linux (ENSL) is running

    Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of v...
    Rule Medium Severity
  • McAfee Host-Based Intrusion Detection Software (HBSS)

    McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.
    Group
  • Install the Host Intrusion Prevention System (HIPS) Module

    Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable th...
    Rule Medium Severity
  • Install the Asset Configuration Compliance Module (ACCM)

    Install the Asset Configuration Compliance Module (ACCM).
    Rule Medium Severity
  • Install the Policy Auditor (PA) Module

    Install the Policy Auditor (PA) Module.
    Rule Medium Severity
  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...
    Group
  • Encrypt Partitions

    Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest...
    Rule High Severity
  • Ensure /boot Located On Separate Partition

    It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through th...
    Rule Medium Severity
  • Ensure /home Located On Separate Partition

    If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...
    Rule Low Severity
  • Ensure /opt Located On Separate Partition

    It is recommended that the /opt directory resides on a separate partition.
    Rule Medium Severity
  • Ensure /srv Located On Separate Partition

    If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later usin...
    Rule Unknown Severity
  • Ensure /tmp Located On Separate Partition

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...
    Rule Low Severity
  • Ensure /usr Located On Separate Partition

    It is recommended that the /usr directory resides on a separate partition.
    Rule Medium Severity
  • Ensure /var Located On Separate Partition

    The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...
    Rule Low Severity
  • Ensure /var/log Located On Separate Partition

    System logs are stored in the <code>/var/log</code> directory. Ensure that <code>/var/log</code> has its own partition or logical volume at instal...
    Rule Low Severity
  • Ensure /var/log/audit Located On Separate Partition

    Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...
    Rule Low Severity
  • Ensure /var/tmp Located On Separate Partition

    The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volum...
    Rule Medium Severity
  • GNOME Desktop Environment

    GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...
    Group
  • Remove the GDM Package Group

    By removing the <code>gdm</code> package, the system no longer has GNOME installed installed. If X Windows is not installed then the system canno...
    Rule Medium Severity
  • Make sure that the dconf databases are up-to-date with regards to respective keyfiles

    By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...
    Rule High Severity
  • Configure GNOME3 DConf User Profile

    By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database al...
    Rule High Severity
  • Configure GNOME Login Screen

    In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...
    Group
  • Disable the GNOME3 Login Restart and Shutdown Buttons

    In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown...
    Rule High Severity
  • Disable the GNOME3 Login User List

    In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This fu...
    Rule Medium Severity
  • Enable the GNOME3 Login Smartcard Authentication

    In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication...
    Rule Medium Severity
  • Set the GNOME3 Login Number of Failures

    In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of ...
    Rule Medium Severity
  • Disable GDM Automatic Login

    The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to a...
    Rule High Severity
  • Disable GDM Guest Login

    The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to logi...
    Rule High Severity
  • Disable XDMCP in GDM

    XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. <a href="https://help.gnome.org/admin/gdm/stable/security.html....
    Rule High Severity
  • GNOME Media Settings

    GNOME media settings that apply to the graphical interface.
    Group
  • Disable GNOME3 Automounting

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount Opening

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Medium Severity
  • Disable GNOME3 Automount running

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...
    Rule Low Severity
  • Disable All GNOME3 Thumbnailers

    The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified co...
    Rule Unknown Severity
  • GNOME Network Settings

    GNOME network settings that apply to the graphical interface.
    Group
  • Disable WIFI Network Connection Creation in GNOME3

    <code>GNOME</code> allows users to create ad-hoc wireless connections through the <code>NetworkManager</code> applet. Wireless connections should b...
    Rule Medium Severity
  • Disable WIFI Network Notification in GNOME3

    By default, <code>GNOME</code> disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when t...
    Rule Medium Severity
  • GNOME Remote Access Settings

    GNOME remote access settings that apply to the graphical interface.
    Group
  • Require Credential Prompting for Remote Access in GNOME3

    By default, <code>GNOME</code> does not require credentials when using <code>Vino</code> for remote access. To configure the system to require remo...
    Rule Medium Severity
  • Require Encryption for Remote Access in GNOME3

    By default, <code>GNOME</code> requires encryption when using <code>Vino</code> for remote access. To prevent remote access encryption from being d...
    Rule Medium Severity
  • Configure GNOME Screen Locking

    In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...
    Group
  • Screensaver Inactivity timeout

    Choose allowed duration (in seconds) of inactive graphical sessions
    Value
  • Screensaver Lock Delay

    Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt
    Value
  • Enable GNOME3 Screensaver Idle Activation

    To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code...
    Rule Medium Severity
  • Ensure Users Cannot Change GNOME3 Screensaver Idle Activation

    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/idle-acti...
    Rule Medium Severity
  • Set GNOME3 Screensaver Inactivity Timeout

    The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...
    Rule Medium Severity
  • Set GNOME3 Screensaver Lock Delay After Activation Period

    To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <co...
    Rule Medium Severity
  • Enable GNOME3 Screensaver Lock After Idle Period

    To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <c...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules