Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Uninstall dovecot Package

    The dovecot package can be removed with the following command:
    $ sudo yum erase dovecot
    Rule Unknown Severity
  • Disable Dovecot Service

    The dovecot service can be disabled with the following command:
    $ sudo systemctl mask --now dovecot.service
    Rule Unknown Severity
  • Kerberos

    The Kerberos protocol is used for authentication across non-secure network. Authentication can happen between various types of principals -- users,...
    Group
  • Remove the Kerberos Server Package

    The <code>krb5-server</code> package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The <code>krb...
    Rule Medium Severity
  • Disable Kerberos by removing host keytab

    Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab fi...
    Rule Medium Severity
  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 7 incl...
    Group
  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...
    Group
  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...
    Rule Low Severity
  • Enable the LDAP Client For Use in Authconfig

    To determine if LDAP is being used for authentication, use the following command: <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre> <...
    Rule Medium Severity
  • Configure LDAP Client to Use TLS For All Transactions

    This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions. <br><br> To determine if LDA...
    Rule Medium Severity
  • Configure Certificate Directives for LDAP Use of TLS

    Ensure a copy of a trusted CA certificate has been placed in the file <code>/etc/pki/tls/CA/cacert.pem</code>. Configure LDAP to enforce TLS use an...
    Rule Medium Severity
  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server. Installation and configuration of OpenLDAP on Red Hat Enterprise Linu...
    Group
  • Uninstall openldap-servers Package

    The openldap-servers package is not installed by default on a Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by t...
    Rule Low Severity
  • Install and Protect LDAP Certificate Files

    Create the PKI directory for LDAP certificates if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tl...
    Group
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Enable Postfix Service

    The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the de...
    Rule Unknown Severity
  • Ensure Mail Transfer Agent is not Listening on any non-loopback Address

    Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or...
    Rule Medium Severity
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Postfix Network Interfaces

    The setting for inet_interfaces in /etc/postfix/main.cf
    Value
  • Postfix relayhost

    Specify the host all outbound email should be routed into.
    Value

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules