Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...Rule Unknown Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group -
Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...Group -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Vendor Approved Time pools
The list of vendor-approved pool serversValue -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Maximum NTP or Chrony Poll
The maximum NTP or Chrony poll interval number in seconds specified as a power of two.Value -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...Rule Medium Severity -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If t...Rule Medium Severity -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo yum erase xinetd
Rule Low Severity -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Enable the NTP Daemon
Thentpdservice can be enabled with the following command:$ sudo systemctl enable ntpd.service
Rule Medium Severity -
Disable chrony daemon from acting as server
The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port f...Rule Low Severity -
Disable network management of chrony daemon
The <code>cmdport</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to stop chrony daemon from listening on the UDP port ...Rule Low Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...Rule Medium Severity -
Specify Additional Remote NTP Servers
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 8 system can be configured to util...Rule Medium Severity -
Specify a Remote NTP Server
Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 8 system can be configured to util...Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...Rule Medium Severity -
Ensure Chrony is only configured with the server directive
Check that Chrony only has time sources configured with theserverdirective.Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Specify Additional Remote NTP Servers
Additional NTP servers can be specified for time synchronization in the file <code>/etc/ntp.conf</code>. To do so, add additional lines of the fol...Rule Unknown Severity -
Specify a Remote NTP Server
To specify a remote NTP server for time synchronization, edit the file <code>/etc/ntp.conf</code>. Add or correct the following lines, substituting...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Uninstall rsync Package
The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync-daemon</code> package can be removed with t...Rule Medium Severity -
Ensure rsyncd service is disabled
Thersyncdservice can be disabled with the following command:$ sudo systemctl mask --now rsyncd.service
Rule Medium Severity -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...Group -
Disable xinetd Service
Thexinetdservice can be disabled with the following command:$ sudo systemctl mask --now xinetd.service
Rule Medium Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...Rule Unknown Severity -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo yum erase ypserv
Rule High Severity -
Disable ypbind Service
The <code>ypbind</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypbind</code> s...Rule Medium Severity -
Disable ypserv Service
The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> s...Rule Medium Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo yum erase rsh-server
Rule High Severity -
Uninstall rsh Package
Thershpackage contains the client commands for the rsh servicesRule Unknown Severity -
Disable rexec Service
The <code>rexec</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a...Rule High Severity -
Disable rlogin Service
The <code>rlogin</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as ...Rule High Severity -
Disable rsh Service
The <code>rsh</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a s...Rule High Severity -
Remove Host-Based Authentication Files
The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following comm...Rule High Severity -
Remove Rsh Trust Files
The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...Rule High Severity -
Remove User Host-Based Authentication Files
The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these ...Rule High Severity -
Chat/Messaging Services
The talk software makes it possible for users to send and receive messages across systems through a terminal session.Group -
Uninstall talk-server Package
Thetalk-serverpackage can be removed with the following command:$ sudo yum erase talk-server
Rule Medium Severity -
Uninstall talk Package
The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...Rule Medium Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo yum erase telnet-server
Rule High Severity -
Remove telnet Clients
The telnet client allows users to start connections to other systems via the telnet protocol.Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules