Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Trigger a kernel BUG when data corruption is detected
This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configurat...Rule Low Severity -
Disable compatibility with brk()
Enabling compatiliby with <code>brk()</code> allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the c...Rule Medium Severity -
daemons_dump_core SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Disable the 32-bit vDSO
Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segm...Rule Low Severity -
Enable checks on credential management
Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs t...Rule Low Severity -
Disable kernel debugfs
<code>debugfs</code> is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and wri...Rule Low Severity -
Enable checks on linked list manipulation
Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at <code>...Rule Low Severity -
Enable checks on notifier call chains
Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unreg...Rule Low Severity -
Enable checks on scatter-gather (SG) table operations
Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The conf...Rule Low Severity -
Warn on W+X mappings found at boot
Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to buil...Rule Medium Severity -
Configure low address space to protect from user allocation
This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, bu...Rule Medium Severity -
Disable /dev/kmem virtual device support
Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To chec...Rule Low Severity -
Harden common str/mem functions against buffer overflows
Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuratio...Rule Medium Severity -
Harden memory copies between kernel and userspace
This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by...Rule High Severity -
Do not allow usercopy whitelist violations to fallback to object size
This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, ...Rule High Severity -
Disable hibernation
Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it ...Rule Medium Severity -
Disable IA32 emulation
Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/con...Rule Medium Severity -
Disable the IPv6 protocol
Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check...Rule Medium Severity -
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot b...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.