Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure nftables Default Deny Firewall Policy
Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewa...Rule Medium Severity -
Ensure Base Chains Exist for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist i...Rule Medium Severity -
Set nftables Configuration for Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
NetoworkManager DNS Mode
This sets how NetworkManager handles DNS. none - NetworkManager will not modify resolv.conf. default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently...Value -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Ensure All Files Are Owned by a Group
If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appro...Rule Medium Severity -
Verify Permissions and Ownership of Old Passwords File
To properly set the owner of <code>/etc/security/opasswd</code>, run the command: <pre>$ sudo chown root /etc/security/opasswd </pre> To properly set the group owner of <code>/etc/security/opasswd...Rule Medium Severity -
Verify Group Who Owns /etc/shells File
To properly set the group owner of/etc/shells, run the command:$ sudo chgrp root /etc/shells
Rule Medium Severity -
Verify Who Owns /etc/shells File
To properly set the owner of/etc/shells, run the command:$ sudo chown root /etc/shells
Rule Medium Severity -
Verify Permissions on group File
To properly set the permissions of/etc/group, run the command:$ sudo chmod 0644 /etc/group
Rule Medium Severity -
Verify Permissions on /etc/shells File
To properly set the permissions of/etc/shells, run the command:$ sudo chmod 0644 /etc/shells
Rule Medium Severity -
Verify that audit tools are owned by group root
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: <pre>$ s...Rule Medium Severity -
Verify that audit tools are owned by root
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: <pre>$ s...Rule Medium Severity -
Verify that audit tools Have Mode 0755 or less
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command: <pre>$...Rule Medium Severity -
Configure Firewalls to Protect the FTP Server
By default, <code>firewalld</code> blocks access to the ports used by the web server. To configure <code>firewalld</code> to allow <code>ftp</code> access, run the following command(s): <pre>fir...Rule Unknown Severity -
Uninstall nginx Package
Thenginxpackage can be removed with the following command:$ sudo yum erase nginx
Rule Unknown Severity -
Configure firewall to Allow Access to the Web Server
By default, <code>firewalld</code> blocks access to the ports used by the web server. To configure <code>firewalld</code> to allow <code>http</code> access, run the following command(s): <pre>fir...Rule Low Severity -
Allow IMAP Clients to Access the Server
The default <code>firewalld</code> configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping ...Group -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo yum erase cyrus-imapd
Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.