Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable Anonymous FTP Access

    If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to su...
    Rule Medium Severity
  • Ignore HTTPD .htaccess Files

    Set AllowOverride to none for each instant of <Directory>.
    Rule Medium Severity
  • Limit Available Methods

    Web server methods are defined in section 9 of RFC 2616 ( <a href="http://www.ietf.org/rfc/rfc2616.txt">http://www.ietf.org/rfc/rfc2616.txt</a>...
    Rule Unknown Severity
  • Restrict Root Directory

    The <code>httpd</code> root directory should always have the most restrictive configuration enabled. <pre>&lt;Directory / &gt; Options None A...
    Rule Unknown Severity
  • Enable Postfix Service

    The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the de...
    Rule Unknown Severity
  • Restrict Web Directory

    The default configuration for the web (<code>/var/www/html</code>) Directory allows directory indexing (<code>Indexes</code>) and the following of ...
    Rule Unknown Severity
  • Minimize Web Server Loadable Modules

    A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforem...
    Group
  • httpd Core Modules

    These modules comprise a basic subset of modules that are likely needed for base <code>httpd</code> functionality; ensure they are not commented ou...
    Group
  • Disable Cache Support

    The <code>cache</code> module allows <code>httpd</code> to cache data, optimizing access to frequently accessed content. However, it introduces pot...
    Rule Unknown Severity
  • Disable CGI Support

    The <code>cgi</code> module allows HTML to interact with the CGI web programming language. <br><br> If this functionality is unnecessary, comment o...
    Rule Unknown Severity
  • Disable HTTP Digest Authentication

    The <code>auth_digest</code> module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related modul...
    Rule Unknown Severity
  • Enable log_config_module For HTTPD Logging

    The <code>log_config_module</code> should exist and be configured in the <code>/etc/httpd/conf/httpd.conf</code> file by adding the following modul...
    Rule Medium Severity
  • Disable LDAP Support

    The <code>ldap</code> module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modul...
    Rule Unknown Severity
  • Disable MIME Magic

    The <code>mime_magic</code> module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality i...
    Rule Unknown Severity
  • Configure All Systems which Use NFS

    The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers.
    Group
  • Disable HTTP mod_rewrite

    The <code>mod_rewrite</code> module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and h...
    Rule Unknown Severity
  • Disable Proxy Support

    The <code>proxy</code> module provides proxying support, allowing <code>httpd</code> to forward requests and serve as a gateway for other servers. ...
    Rule Unknown Severity
  • Disable Server Activity Status

    The <code>status</code> module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecess...
    Rule Unknown Severity
  • Disable Web Server Configuration Display

    The <code>info</code> module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and ...
    Rule Unknown Severity
  • Disable Server Side Includes

    Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is als...
    Rule Unknown Severity
  • Disable URL Correction on Misspelled Entries

    The <code>speling</code> module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality...
    Rule Unknown Severity
  • Disable WebDAV (Distributed Authoring and Versioning)

    WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary,...
    Rule Unknown Severity
  • Minimize Modules for HTTP Basic Authentication

    The following modules are necessary if this web server will provide content that will be restricted by a password. <br><br> Authentication can be p...
    Group
  • Disable Plaintext Authentication

    To prevent Dovecot from attempting plaintext authentication of clients, edit <code>/etc/dovecot/conf.d/10-auth.conf</code> and add\or correct the f...
    Rule Unknown Severity
  • Minimize Configuration Files Included

    The <code>Include</code> directive directs <code>httpd</code> to load supplementary configuration files from a provided path. The default configura...
    Group
  • Minimize Various Optional Components

    The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not req...
    Group
  • Use Appropriate Modules to Improve httpd's Security

    Among the modules available for <code>httpd</code> are several whose use may improve the security of the web server installation. This section reco...
    Group
  • Deploy mod_security

    The <code>security</code> module provides an application level firewall for <code>httpd</code>. Following its installation with the base ruleset, s...
    Group
  • Install mod_security

    Install the <code>security</code> module: The <code>mod_security</code> package can be installed with the following command: <pre> $ sudo yum insta...
    Rule Unknown Severity
  • Deploy mod_ssl

    Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be conf...
    Group
  • Enable Transport Layer Security (TLS) Encryption

    Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in <code>/etc/httpd/conf.modules.d/ssl.conf</code>: <...
    Rule Medium Severity
  • Configure A Valid Server Certificate

    Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA.
    Rule Medium Severity
  • Install mod_ssl

    Install the <code>mod_ssl</code> module: The <code>mod_ssl</code> package can be installed with the following command: <pre> $ sudo yum install mod...
    Rule Unknown Severity
  • Require Client Certificates

    <code>SSLVerifyClient</code> should be set and configured to <code>require</code> by setting the following in <code>/etc/httpd/conf/httpd.conf</cod...
    Rule Medium Severity
  • Restrict Web Server Information Leakage

    The <code>ServerTokens</code> and <code>ServerSignature</code> directives determine how much information the web server discloses about the configu...
    Group
  • Set httpd ServerSignature Directive to Off

    <code>ServerSignature Off</code> restricts <code>httpd</code> from displaying server version number on error pages. <br><br> Add or correct the fol...
    Rule Unknown Severity
  • Set httpd ServerTokens Directive to Prod

    <code>ServerTokens Prod</code> restricts information in page headers, returning only the word "Apache." <br><br> Add or correct the following direc...
    Rule Unknown Severity
  • Configure HTTPD-Served Web Content Securely

    Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...
    Group
  • Web Login Banner Verbiage

    Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters ...
    Value
  • Configure A Banner Page For Each Website

    Configure a login banner for each website when authentication is required for user access.
    Rule Low Severity
  • Each Web Content Directory Must Contain An index.html File

    Every <code>DocumentRoot</code> that is configured should have an <code>index.html</code> file that exists. Add an <code>index.html</code> file to ...
    Rule Low Severity
  • Disable Web Content Symbolic Links

    For each <code>&lt;Directory&gt;</code> instance, remove the following: <pre>FollowSymLinks</pre> If symbolic links are allowed, the following can ...
    Rule High Severity
  • Encrypt All File Uploads

    Use only secure encrypted logons and connections for uploading files to the web site.
    Rule High Severity
  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
  • Remove .java And .jpp Files

    .java and .jpp files should not exist and should be removed from the web server.
    Rule Low Severity
  • The robots.txt Files Must Not Exist

    Remove any <code>robots.txt</code> files that may exist with any web content. Other methods must be employed if there is information on the web sit...
    Rule Medium Severity
  • Ensure Web Content Located on Separate partition

    The <code>DocumentRoot</code> directory is used for storing web content and data. Ensure that the <code>DocumentRoot</code> directory exists on a s...
    Rule Medium Severity
  • Use Denial-of-Service Protection Modules

    Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shapin...
    Group
  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
  • Configure Dovecot if Necessary

    If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below.
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules