Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Mount Remote Filesystems with Kerberos Security

    Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...
    Rule Medium Severity
  • Mount Remote Filesystems with nodev

    Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
  • Mount Remote Filesystems with noexec

    Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
  • Mount Remote Filesystems with nosuid

    Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...
    Rule Low Severity
  • Ensure Insecure File Locking is Not Allowed

    By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients s...
    Rule Medium Severity
  • Restrict NFS Clients to Privileged Ports

    By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control ove...
    Rule Unknown Severity
  • Use Kerberos Security on All Exports

    Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to t...
    Rule Medium Severity
  • Use Root-Squashing on All Exports

    If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...
    Rule Unknown Severity
  • Configure the Exports File Restrictively

    Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...
    Group
  • Export Filesystems Read-Only if Possible

    If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...
    Group
  • Use Access Lists to Enforce Authorization Restrictions

    When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...
    Group
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules