Red Hat Enterprise Linux 8 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent special devices on non-root local partitions.
<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent code from being executed on file systems that contain user home directories.
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent special devices on file systems that are used with removable media.
<VulnDiscussion>The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent code from being executed on file systems that are used with removable media.
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Local RHEL 8 initialization files must not execute world-writable programs.
<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable kernel dumps unless needed.
<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a co...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable the kernel.core_pattern.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable acquiring, saving, and processing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable core dumps for all users.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable storing core dumps.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 8 must disable core dump backtraces.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolut...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search t...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized us...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All RHEL 8 local initialization files must have mode 0740 or less permissive.
<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these fil...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.