Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify All Account Password Hashes are Shadowed

    If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...
    Rule Medium Severity
  • Ensure all users last password change date is in the past

    All users should have a password change date in the past.
    Rule Medium Severity
  • Set number of Password Hashing Rounds - password-auth

    Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...
    Rule Medium Severity
  • Set number of Password Hashing Rounds - system-auth

    Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...
    Rule Medium Severity
  • All GIDs referenced in /etc/passwd must be defined in /etc/group

    Add a group to the system for each GID referenced without a corresponding group.
    Rule Low Severity
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
  • Ensure There Are No Accounts With Blank or Null Passwords

    Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...
    Rule High Severity
  • Verify No .forward Files Exist

    The .forward file specifies an email address to forward the user's mail to.
    Rule Medium Severity
  • Ensure there are no legacy + NIS entries in /etc/group

    The <code>+</code> character in <code>/etc/group</code> file marks a place where entries from a network information service (NIS) should be directl...
    Rule Medium Severity
  • Action for auditd to take when disk space is low

    The setting for admin_space_left_action in /etc/audit/auditd.conf
    Value
  • Ensure there are no legacy + NIS entries in /etc/passwd

    The <code>+</code> character in <code>/etc/passwd</code> file marks a place where entries from a network information service (NIS) should be direct...
    Rule Medium Severity
  • Ensure there are no legacy + NIS entries in /etc/shadow

    The <code>+</code> character in <code>/etc/shadow</code> file marks a place where entries from a network information service (NIS) should be direct...
    Rule Medium Severity
  • Verify No netrc Files Exist

    The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...
    Rule Medium Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...
    Group
  • Group Name Used by pam_wheel Group Parameter

    pam_wheel module has a parameter called group, which controls which groups can access the su command. This variable holds the valid value for the p...
    Value
  • Verify Only Root Has UID 0

    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...
    Rule High Severity
  • Verify Root Has A Primary GID 0

    The root user should have a primary group of 0.
    Rule High Severity
  • Direct root Logins Not Allowed

    To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...
    Rule Medium Severity
  • Ensure that System Accounts Are Locked

    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be abl...
    Rule Medium Severity
  • Restrict Web Browser Use for Administrative Accounts

    Enforce policy requiring administrative accounts use web browsers only for local service administration.
    Rule Unknown Severity
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Ensure that System Accounts Do Not Run a Shell Upon Login

    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to...
    Rule Medium Severity
  • Restrict Serial Port Root Logins

    To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:
    ttyS0
    ttyS1
    Rule Medium Severity
  • Root Path Must Be Vendor Default

    Assuming root shell is bash, edit the following files: <pre>~/.profile</pre> <pre>~/.bashrc</pre> Change any <code>PATH</code> variables to the ven...
    Rule Unknown Severity
  • Restrict Virtual Console Root Logins

    To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <...
    Rule Medium Severity
  • Enforce usage of pam_wheel for su authentication

    To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> comm...
    Rule Medium Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Maximum login attempts delay

    Maximum time in seconds between fail login attempts before re-prompting.
    Value
  • Maximum concurrent login sessions

    Maximum number of concurrent sessions by a user
    Value
  • Account Inactivity Timeout (seconds)

    In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates afte...
    Value
  • Interactive users initialization files

    'A regular expression describing a list of file names for files that are sourced at login time for interactive users'
    Value
  • Ensure Home Directories are Created for New Users

    All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home dir...
    Rule Medium Severity
  • Ensure the Logon Failure Delay is Set Correctly in login.defs

    To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in...
    Rule Medium Severity
  • Limit the Number of Concurrent Login Sessions Allowed Per User

    Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...
    Rule Low Severity
  • Configure Polyinstantiation of /tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...
    Rule Low Severity
  • Configure Polyinstantiation of /var/tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...
    Rule Low Severity
  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local i...
    Rule Medium Severity
  • User Initialization Files Must Not Run World-Writable Programs

    Set the mode on files being executed by the user initialization files with the following command:
    $ sudo chmod o-w FILE
    Rule Medium Severity
  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i>...
    Rule Medium Severity
  • Ensure that Users Path Contains Only Local Directories

    Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working dir...
    Rule Medium Severity
  • All Interactive Users Must Have A Home Directory Defined

    Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is p...
    Rule Medium Severity
  • All Interactive Users Home Directories Must Exist

    Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner ...
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Have a Valid Owner

    Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories....
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...
    Rule Medium Severity
  • All Interactive User Home Directories Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive...
    Rule Medium Severity
  • All Interactive User Home Directories Must Be Owned By The Primary User

    Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the fo...
    Rule Medium Severity
  • Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

    Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FI...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that User Home Directories are not Group-Writable or World-Readable

    For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i></pre> Ensure that the directo...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules