Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Remove ftp Package
FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (perm...Rule Low Severity -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...Rule High Severity -
Ensure /dev/shm is configured
The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If <code>/dev/shm</code> is not configur...Rule Low Severity -
Install cryptsetup Package
Thecryptsetuppackage can be installed with the following command:$ sudo yum install cryptsetup
Rule Medium Severity -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings in <code>/etc/pam.d/postlogin</code> to include <co...Rule Low Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple entries in pam files. Th...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module'sdictcheckcheck if passwords contains dictionary words. Whendictcheckis set to1passwords will be checked for dictionary words.Rule Medium Severity -
Set existing passwords a period of inactivity before they been locked
Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command:$ sudo chage --inactive 30USER
Rule Medium Severity -
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></code> referenced by <code>var_pam_wheel_group_for_su<...Rule Medium Severity -
Ensure Authentication Required for Single User Mode
Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.Rule Medium Severity -
Enforce Usage of pam_wheel with Group Parameter for su Authentication
To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands with altered privileges through the <code>su</code> ...Rule Medium Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...Rule Medium Severity -
Ensure users' .netrc Files are not group or world accessible
While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures every .netrc file or directory under the home direct...Rule Medium Severity -
Record Events When Executables Are Run As Another User
Verify the system generates an audit record when actions are run as another user. sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another us...Rule Medium Severity -
Record Attempts to perform maintenance activities
The Red Hat Enterprise Linux 7 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating...Rule Medium Severity -
System Audit Logs Must Be Group Owned By Root
All audit logs must be group owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.conf</pre> or, by default, the path for audit...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.conf</pre> or by default, the path for audit log is...Rule Medium Severity -
Record Any Attempts to Run chacl
At a minimum, the audit system should collect any execution attempt of the <code>chacl</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pr...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Group -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program...Rule Medium Severity -
Type of hostname to record the audit event
Type of hostname to record the audit eventValue -
Set type of computer node name logging in audit logs
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_au...Rule Medium Severity -
Restrict unprivileged access to the kernel syslog
Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the con...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> a...Rule Medium Severity -
Install systemd-journal-remote Package
Journald (via systemd-journal-remote ) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.Rule Medium Severity -
Disable systemd-journal-remote Socket
Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remot...Rule Medium Severity -
Dectivate firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. Firewalls can be implemente...Group -
Ensure nftables Default Deny Firewall Policy
Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewa...Rule Medium Severity -
Ensure Base Chains Exist for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist i...Rule Medium Severity -
Set nftables Configuration for Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
NetoworkManager DNS Mode
This sets how NetworkManager handles DNS. none - NetworkManager will not modify resolv.conf. default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently...Value -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Ensure All Files Are Owned by a Group
If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appro...Rule Medium Severity -
Verify Permissions and Ownership of Old Passwords File
To properly set the owner of <code>/etc/security/opasswd</code>, run the command: <pre>$ sudo chown root /etc/security/opasswd </pre> To properly set the group owner of <code>/etc/security/opasswd...Rule Medium Severity -
Verify Group Who Owns /etc/shells File
To properly set the group owner of/etc/shells, run the command:$ sudo chgrp root /etc/shells
Rule Medium Severity -
Verify Who Owns /etc/shells File
To properly set the owner of/etc/shells, run the command:$ sudo chown root /etc/shells
Rule Medium Severity -
Verify Permissions on group File
To properly set the permissions of/etc/group, run the command:$ sudo chmod 0644 /etc/group
Rule Medium Severity -
Verify Permissions on /etc/shells File
To properly set the permissions of/etc/shells, run the command:$ sudo chmod 0644 /etc/shells
Rule Medium Severity -
Verify that audit tools are owned by group root
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: <pre>$ s...Rule Medium Severity -
Verify that audit tools are owned by root
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: <pre>$ s...Rule Medium Severity -
Verify that audit tools Have Mode 0755 or less
The Red Hat Enterprise Linux 7 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command: <pre>$...Rule Medium Severity -
Configure Firewalls to Protect the FTP Server
By default, <code>firewalld</code> blocks access to the ports used by the web server. To configure <code>firewalld</code> to allow <code>ftp</code> access, run the following command(s): <pre>fir...Rule Unknown Severity -
Uninstall nginx Package
Thenginxpackage can be removed with the following command:$ sudo yum erase nginx
Rule Unknown Severity -
Configure firewall to Allow Access to the Web Server
By default, <code>firewalld</code> blocks access to the ports used by the web server. To configure <code>firewalld</code> to allow <code>http</code> access, run the following command(s): <pre>fir...Rule Low Severity -
Allow IMAP Clients to Access the Server
The default <code>firewalld</code> configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping ...Group -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo yum erase cyrus-imapd
Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.