Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs...Group -
Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these fil...Rule Unknown Severity -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...Group -
Uninstall rpcbind Package
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Disable Network File System Lock Service (nfslock)
The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the s...Rule Unknown Severity -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Disable Secure RPC Client Service (rpcgssd)
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the...Rule Unknown Severity -
Disable RPC ID Mapping Service (rpcidmapd)
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then th...Rule Unknown Severity -
Make Each System a Client or a Server, not Both
If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary s...Group -
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never b...Group -
Configure lockd to use static TCP port
Configure the <code>lockd</code> daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the fil...Rule Unknown Severity -
Configure lockd to use static UDP port
Configure the <code>lockd</code> daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the fil...Rule Unknown Severity -
Configure mountd to use static port
Configure the <code>mountd</code> daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file <...Rule Unknown Severity -
Configure statd to use static port
Configure the <code>statd</code> daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file <c...Rule Unknown Severity -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...Rule Unknown Severity -
Disable Secure RPC Server Service (rpcsvcgssd)
The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service ...Rule Unknown Severity -
Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export: <pre> anonuid=<cod...Rule Unknown Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Mount Remote Filesystems with Kerberos Security
Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...Rule Medium Severity -
Mount Remote Filesystems with nodev
Add thenodev
option to the fourth column of/etc/fstab
for the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with noexec
Add thenoexec
option to the fourth column of/etc/fstab
for the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with nosuid
Add thenosuid
option to the fourth column of/etc/fstab
for the line which controls mounting of any NFS mounts.Rule Medium Severity -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...Rule Low Severity -
Ensure Insecure File Locking is Not Allowed
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients s...Rule Medium Severity -
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control ove...Rule Unknown Severity -
Use Kerberos Security on All Exports
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...Rule Medium Severity -
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...Rule Unknown Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group -
Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...Group -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Vendor Approved Time pools
The list of vendor-approved pool serversValue -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Maximum NTP or Chrony Poll
The maximum NTP or Chrony poll interval number in seconds specified as a power of two.Value -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...Rule Medium Severity -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If t...Rule Medium Severity -
Disable xinetd Service
Thexinetd
service can be disabled with the following command:$ sudo systemctl mask --now xinetd.service
Rule Medium Severity -
Enable the NTP Daemon
Thentp
service can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Enable the NTP Daemon
Thentpd
service can be enabled with the following command:$ sudo systemctl enable ntpd.service
Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...Rule Medium Severity -
Specify Additional Remote NTP Servers
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to util...Rule Medium Severity -
Specify a Remote NTP Server
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 system can be configured to util...Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Configure server restrictions for ntpd
ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.