Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Group Who Owns /etc/ipsec.secrets File
To properly set the group owner of/etc/ipsec.secrets, run the command:$ sudo chgrp root /etc/ipsec.secrets
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.conf File
To properly set the owner of/etc/ipsec.conf, run the command:$ sudo chown root /etc/ipsec.conf
Rule Medium Severity -
iptables and ip6tables
A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...Group -
Remove iptables-services Package
Theiptables-servicespackage can be removed with the following command:$ sudo yum erase iptables-services
Rule Medium Severity -
Verify Group Who Owns /etc/iptables Directory
To properly set the group owner of/etc/iptables, run the command:$ sudo chgrp root /etc/iptables
Rule Medium Severity -
Verify User Who Owns /etc/iptables Directory
To properly set the owner of/etc/iptables, run the command:$ sudo chown root /etc/iptables
Rule Medium Severity -
Verify Permissions On /etc/iptables Directory
To properly set the permissions of/etc/iptables, run the command:$ sudo chmod 0700 /etc/iptables
Rule Medium Severity -
Inspect and Activate Default Rules
View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> ...Group -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <code>iptables</code> and <code>ip6tables</code> in t...Group -
Set Default iptables Policy for Forwarded Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...Rule Medium Severity -
Ensure IPv6 is disabled through kernel boot parameter
To disable IPv6 protocol support in the Linux kernel, add the argument <code>ipv6.disable=1</code> to the default GRUB2 command line for the Linux operating system. To ensure that <code>ipv6.disabl...Rule Low Severity -
Manually Assign IPv6 Router Address
Edit the file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>, and add or correct the following line (substituting your gateway IP as appropriate): <pre>IPV6_D...Rule Unknown Severity -
Use Privacy Extensions for Address
To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i> </code>: ...Rule Unknown Severity -
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0</pre> To make ...Rule Unknown Severity -
Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1</pre> To make sure...Rule Unknown Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=...Rule Medium Severity -
Configure Denying Router Solicitations on All IPv6 Interfaces By Default
To set the runtime status of the <code>net.ipv6.conf.default.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.router_solicitation...Rule Unknown Severity -
Disable Accepting Packets Routed Between Local Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</pre> To make sure t...Rule Medium Severity -
Disable Accepting ICMP Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> To mak...Rule Medium Severity -
Configure Response Mode of ARP Requests for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.route_localnet</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0</pre> To make su...Rule Medium Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> To make sure that th...Rule Medium Severity -
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> To mak...Rule Medium Severity -
Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.shared_media=<xccdf-1.2:sub idref="...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=...Rule Medium Severity -
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> To...Rule Medium Severity -
Verify that Shared Library Directories Have Root Group Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
Make sure that the system is configured to limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid ...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> To make su...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
nftables
<code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.</code><br><br> nftables is a su...Group -
Install nftables Package
nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Ne...Rule Medium Severity -
Verify Group Who Owns /etc/nftables Directory
To properly set the group owner of/etc/nftables, run the command:$ sudo chgrp root /etc/nftables
Rule Medium Severity -
Verify User Who Owns /etc/nftables Directory
To properly set the owner of/etc/nftables, run the command:$ sudo chown root /etc/nftables
Rule Medium Severity -
Verify Permissions On /etc/nftables Directory
To properly set the permissions of/etc/nftables, run the command:$ sudo chmod 0700 /etc/nftables
Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Red Hat Enterprise Linux 8 uses <code>firewa...Rule Medium Severity -
Disable DCCP Support
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the <code>dccp</...Rule Medium Severity -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection...Rule Medium Severity -
Wireless Networking
Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be include...Group -
Disable Kernel iwlmvm Module
To configure the system to prevent the <code>iwlmvm</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/iwlmvm.conf</code>: <pre>install iwlmvm /bin/fa...Rule Medium Severity -
Deactivate Wireless Network Interfaces
Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br> <br> Configure the system to disable all wireless network interfaces with th...Rule Medium Severity -
Verify that system commands directories have root as a group owner
System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...Rule Medium Severity -
Verify Group Who Owns /etc/selinux Directory
To properly set the group owner of/etc/selinux, run the command:$ sudo chgrp root /etc/selinux
Rule Medium Severity -
Verify that system commands directories have root ownership
System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...Rule Medium Severity -
Verify Group Who Owns /etc/crypttab File
To properly set the group owner of/etc/crypttab, run the command:$ sudo chgrp root /etc/crypttab
Rule Medium Severity -
Verify Group Who Owns System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...Rule Low Severity -
Verify User Who Owns /etc/crypttab File
To properly set the owner of/etc/crypttab, run the command:$ sudo chown root /etc/crypttab
Rule Medium Severity -
Verify User Who Owns System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...Rule Low Severity -
Verify Permissions on /etc/audit/auditd.conf
To properly set the permissions of/etc/audit/auditd.conf, run the command:$ sudo chmod 0640 /etc/audit/auditd.conf
Rule Medium Severity -
Verify Permissions on /etc/audit/rules.d/*.rules
To properly set the permissions of/etc/audit/rules.d/*.rules, run the command:$ sudo chmod 0640 /etc/audit/rules.d/*.rules
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.