Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Public web server resources must not be shared with private assets
It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets.Rule Medium Severity -
Backup interactive scripts on the production web server are prohibited
Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken.Rule Medium Severity -
Configure Operating System to Protect Web Server
The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible ...Group -
Scan All Uploaded Content for Malicious Software
Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.Rule Medium Severity -
Ensure Remote Administrative Access Is Encrypted
Ensure that the SSH server service is enabled. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl enab...Rule High Severity -
Run httpd in a chroot Jail if Practical
Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...Group -
Restrict File and Directory Access
Minimize access to criticalhttpdfiles and directories.Group -
Set Permissions on the /etc/httpd/conf/ Directory
To properly set the permissions of/etc/http/conf, run the command:$ sudo chmod 0750 /etc/http/conf
Rule Unknown Severity -
Set Permissions on the /var/log/httpd/ Directory
Ensure that the permissions on the web server log directory is set to 700:$ sudo chmod 700 /var/log/httpd/
This is its default setting.Rule Medium Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/
To properly set the permissions of/etc/http/conf.d/*, run the command:$ sudo chmod 0640 /etc/http/conf.d/*
Rule Unknown Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf/
To properly set the permissions of/etc/http/conf/*, run the command:$ sudo chmod 0640 /etc/http/conf/*
Rule Unknown Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
To properly set the permissions of/etc/http/conf.modules.d/*, run the command:$ sudo chmod 0640 /etc/http/conf.modules.d/*
Rule Unknown Severity -
HTTPD Log Files Must Be Owned By Root
All <code>httpd</code> logs must be owned by root user and group. By default, the path for httpd logs is <code>/var/log/httpd/</code> To properly ...Rule Medium Severity -
Configure PERL Securely
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from...Group -
Restrict Other Critical Directories
All accessible web directories should be configured with similarly restrictive settings. The <code>Options</code> directive should be limited to ne...Rule Unknown Severity -
Configure HTTP PERL Scripts To Use TAINT Option
If the <code>mod_perl</code> module is installed, enable Perl Taint checking in <code>/etc/httpd/conf/httpd.conf</code>. To enable Perl Taint check...Rule Medium Severity -
Configure PHP Securely
PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when need...Group -
Directory Restrictions
The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be...Group -
Web Content Directories Must Not Be Shared Anonymously
Web content directories should not be shared anonymously over remote filesystems such as <code>nfs</code> and <code>smb</code>. Remove the shares f...Rule Medium Severity -
Remove Write Permissions From Filesystem Paths And Server Scripts
Configure permissions for each instance of <code>Alias</code>, <code>ScriptAlias</code>, and <code>ScriptAliasMatch</code> that exist. <pre>$ sudo ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.