Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-app...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Key Exchange Algorithms

    Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in <code>/etc/ssh/sshd_config</code> <pre>Kex...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Use Only Strong Ciphers

    Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/et...
    Rule Medium Severity
  • Use Only Strong Key Exchange algorithms

    Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms ...
    Rule Medium Severity
  • Prevent remote hosts from connecting to the proxy display

    The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code...
    Rule Medium Severity
  • Strengthen Firewall Configuration if Possible

    If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...
    Group
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD certificate_verification option

    Value of the certificate_verification option in the SSSD config.
    Value
  • SSSD memcache_timeout option

    Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.
    Value
  • SSSD ssh_known_hosts_timeout option

    Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.
    Value
  • Install sssd-ipa Package

    The sssd-ipa package can be installed with the following command:
    $ sudo yum install sssd-ipa
    Rule Medium Severity
  • Install the SSSD Package

    The <code>sssd</code> package should be installed. The <code>sssd</code> package can be installed with the following command: <pre> $ sudo yum inst...
    Rule Medium Severity
  • Enable the SSSD Service

    The SSSD service should be enabled. The <code>sssd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sssd.ser...
    Rule Medium Severity
  • Configure PAM in SSSD Services

    SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code...
    Rule Medium Severity
  • Enable Smartcards in SSSD

    SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...
    Rule Medium Severity
  • Configure SSSD's Memory Cache to Expire

    SSSD's memory cache should be configured to set to expire records after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_mem...
    Rule Medium Severity
  • Configure SSSD to Expire Offline Credentials

    SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...
    Rule Medium Severity
  • Configure SSSD to Expire SSH Known Hosts

    SSSD should be configured to expire keys from known SSH hosts after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_kno...
    Rule Medium Severity
  • Disable X Windows Startup By Setting Default Target

    Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accident...
    Rule Medium Severity
  • Configure SSSD LDAP Backend Client CA Certificate

    Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacert</pre> option ...
    Rule Medium Severity
  • Configure SSSD LDAP Backend Client CA Certificate Location

    Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacertdir</pre> opti...
    Rule Medium Severity
  • Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

    Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the <pre>ldap_tls_r...
    Rule Medium Severity
  • Configure SSSD LDAP Backend to Use TLS For All Transactions

    The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the <code>id_provider</code>...
    Rule High Severity
  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
  • Install usbguard Package

    The usbguard package can be installed with the following command:
    $ sudo yum install usbguard
    Rule Medium Severity
  • X Window System

    The X Window System implementation included with the system is called X.org.
    Group
  • Disable X Windows

    Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...
    Group
  • Remove the X Windows Package Group

    By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot ...
    Rule Medium Severity
  • Disable graphical user interface

    By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-serv...
    Rule Medium Severity
  • Introduction

    The purpose of this guidance is to provide security configuration recommendations and baselines for the Red Hat Enterprise Linux 7 operating system...
    Group
  • Encrypt Transmitted Data Whenever Possible

    Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...
    Group
  • Least Privilege

    Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...
    Group
  • Minimize Software to Minimize Vulnerability

    The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Red Hat Enterprise Linux 7,the RPM Package Manager (...
    Group
  • Run Different Network Services on Separate Systems

    Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...
    Group
  • Configure Security Tools to Improve System Robustness

    Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...
    Group
  • How to Use This Guide

    Readers should heed the following points when using the guide.
    Group
  • Formatting Conventions

    Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...
    Group
  • Read Sections Completely and in Order

    Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instr...
    Group
  • Reboot Required

    A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will n...
    Group
  • Root Shell Environment Assumed

    Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash...
    Group
  • Test in Non-Production Environment

    This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...
    Group
  • Disable ypserv Service

    The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> s...
    Rule Medium Severity
  • SSH Strong MACs by FIPS

    Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.
    Value
  • Remove SSH Server firewalld Firewall exception (Unusual)

    By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall ...
    Rule Unknown Severity
  • Verify File Hashes with RPM

    Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...
    Rule High Severity
  • Verify and Correct File Permissions with RPM

    The RPM package management system can check file access permissions of installed software packages, including many that are important to system sec...
    Rule High Severity
  • Ensure /dev/shm is configured

    The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...
    Rule Low Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules