Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Enable the unconfined_mozilla_plugin_transition SELinux Boolean
By default, the SELinux boolean <code>unconfined_mozilla_plugin_transition</code> is enabled. If this setting is disabled, it should be enabled. To enable the <code>unconfined_mozilla_plugin_trans...Rule Medium Severity -
Disable the virt_sandbox_use_netlink SELinux Boolean
By default, the SELinux boolean <code>virt_sandbox_use_netlink</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>virt_sandbox_use_netlink</code> SELinux b...Rule Medium Severity -
Disable the virt_use_samba SELinux Boolean
By default, the SELinux boolean <code>virt_use_samba</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>virt_use_samba</code> SELinux boolean, run the foll...Rule Medium Severity -
Disable the xdm_exec_bootloader SELinux Boolean
By default, the SELinux boolean <code>xdm_exec_bootloader</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>xdm_exec_bootloader</code> SELinux boolean, ru...Rule Medium Severity -
Disable the xguest_connect_network SELinux Boolean
By default, the SELinux boolean <code>xguest_connect_network</code> is enabled. This setting should be disabled as guest users should not be able to configure <code>NetworkManager</code>. To disab...Rule Medium Severity -
Disable the zebra_write_config SELinux Boolean
By default, the SELinux boolean <code>zebra_write_config</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>zebra_write_config</code> SELinux boolean, run ...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 8 installs on a system and disable softwar...Group -
Disable Avahi Server Software
Theavahi-daemonservice can be disabled with the following command:$ sudo systemctl mask --now avahi-daemon.service
Rule Medium Severity -
Install the psacct package
The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administrators to view user activity, such as commands issue...Rule Low Severity -
Disable CPU Speed (cpupower)
The <code>cpupower</code> service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The <code>cpupower</code> service ...Rule Low Severity -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can lo...Rule Medium Severity -
Disable Odd Job Daemon (oddjobd)
The <code>oddjobd</code> service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communicati...Rule Medium Severity -
Disable Network Router Discovery Daemon (rdisc)
The <code>rdisc</code> service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered the...Rule Medium Severity -
Disable Cyrus SASL Authentication Daemon (saslauthd)
The <code>saslauthd</code> service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into...Rule Low Severity -
Disable anacron Service
The <code>cronie-anacron</code> package, which provides <code>anacron</code> functionality, is installed by default. The <code>cronie-anacron</code> package can be removed with the following comman...Rule Unknown Severity -
Verify Permissions on cron.d
To properly set the permissions of/etc/cron.d, run the command:$ sudo chmod 0700 /etc/cron.d
Rule Medium Severity -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to delay execution of processes. If these files exist an...Group -
Verify Permissions on /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must have permissions <code>0600</code> or more restrictive. To properly set the permissions of <code>/etc/at.allow</code>, run the command: <pre>$ sudo c...Rule Medium Severity -
Verify Permissions on /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must have permissions <code>0600</code> or more restrictive. To properly set the permissions of <code>/etc/cron.allow</code>, run the command: <pre>$ su...Rule Medium Severity -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends confi...Group -
Create Warning Banners for All FTP Users
Edit the vsftpd configuration file, which resides at <code>/etc/vsftpd/vsftpd.conf</code> by default. Add or correct the following configuration options: <pre>banner_file=/etc/issue</pre> ...Rule Medium Severity -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the follo...Rule Unknown Severity -
Deny Decline Messages
Edit <code>/etc/dhcp/dhcpd.conf</code> and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: <pre>deny declines;</pre> ...Rule Unknown Severity -
Do Not Use Dynamic DNS
To prevent the DHCP server from receiving DNS information from clients, edit <code>/etc/dhcp/dhcpd.conf</code>, and add or correct the following global option: <pre>ddns-update-style none;</pre> ...Rule Unknown Severity -
Authenticate Zone Transfers
If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the ...Rule Medium Severity -
Disable Zone Transfers from the Nameserver
Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instruct...Rule Unknown Severity -
Install fapolicyd Package
Thefapolicydpackage can be installed with the following command:$ sudo yum install fapolicyd
Rule Medium Severity -
Enable the File Access Policy Service
The File Access Policy service should be enabled. Thefapolicydservice can be enabled with the following command:$ sudo systemctl enable fapolicyd.service
Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...Group -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
Configure Error Log Format
<code>LogFormat</code> should be enabled and set to the following in <code>/etc/httpd/conf/httpd.conf</code>: <pre>LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combin...Rule Medium Severity -
Configure The Number of Allowed Simultaneous Requests
The <code>MaxKeepAliveRequests</code> directive should be set and configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_max_keepalive_requests" use="legacy"></xccdf-1.2:sub> or...Rule Medium Severity -
Configure firewall to Allow Access to the Web Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 80 traffic, one must edit <code>/etc/sysconfig/iptables</code> ...Rule Low Severity -
Ensure Remote Administrative Access Is Encrypted
Ensure that the SSH server service is enabled. Thesshdservice can be enabled with the following command:$ sudo systemctl enable sshd.service
Rule High Severity -
Configure HTTP PERL Scripts To Use TAINT Option
If the <code>mod_perl</code> module is installed, enable Perl Taint checking in <code>/etc/httpd/conf/httpd.conf</code>. To enable Perl Taint checking, add or uncomment the following to <code>/etc/...Rule Medium Severity -
Restrict Web Directory
The default configuration for the web (<code>/var/www/html</code>) Directory allows directory indexing (<code>Indexes</code>) and the following of symbolic links (<code>FollowSymLinks</code>). Neit...Rule Unknown Severity -
Minimize Web Server Loadable Modules
A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disable...Group -
Disable HTTP mod_rewrite
The <code>mod_rewrite</code> module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself...Rule Unknown Severity -
Install mod_security
Install thesecuritymodule: Themod_securitypackage can be installed with the following command:$ sudo yum install mod_security
Rule Unknown Severity -
Deploy mod_ssl
Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content. <br> ...Group -
Require Client Certificates
<code>SSLVerifyClient</code> should be set and configured to <code>require</code> by setting the following in <code>/etc/httpd/conf/httpd.conf</code>: <pre>SSLVerifyClient require</pre> ...Rule Medium Severity -
Disable Web Content Symbolic Links
For each <code><Directory></code> instance, remove the following: <pre>FollowSymLinks</pre> If symbolic links are allowed, the following can be added for each <code><Directory></code> i...Rule High Severity -
The robots.txt Files Must Not Exist
Remove any <code>robots.txt</code> files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and pu...Rule Medium Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...Rule Medium Severity -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Disable Printer Browsing Entirely if Possible
By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration...Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules