Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Install iptables-services Package
Theiptables-servicespackage can be installed with the following command:$ sudo yum install iptables-services
Rule Medium Severity -
Install iptables Package
Theiptablespackage can be installed with the following command:$ sudo yum install iptables
Rule Medium Severity -
net.ipv4.tcp_rfc1337
Enable to enable TCP behavior conformant with RFC 1337Value -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Inspect and Activate Default Rules
View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analog...Group -
Verify ip6tables Enabled if Using IPv6
Theip6tablesservice can be enabled with the following command:$ sudo systemctl enable ip6tables.service
Rule Medium Severity -
Verify iptables Enabled
Theiptablesservice can be enabled with the following command:$ sudo systemctl enable iptables.service
Rule Medium Severity -
Set Default ip6tables Policy for Incoming Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...Rule Medium Severity -
Set configuration for IPv6 loopback traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Set configuration for loopback traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <co...Group -
Ensure ip6tables Firewall Rules Exist for All Open Ports
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.Rule Medium Severity -
Ensure iptables Firewall Rules Exist for All Open Ports
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.Rule Medium Severity -
Set Default iptables Policy for Incoming Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...Rule Medium Severity -
Disable IPv6 Addressing on IPv6 Interfaces by Default
To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or a...Rule Medium Severity -
Configure IPv6 Settings if Necessary
A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from ...Group -
Set Default iptables Policy for Forwarded Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interf...Rule Medium Severity -
IPV6_AUTOCONF
Toggle global IPv6 auto-configuration (only, if global forwarding is disabled)Value -
net.ipv6.conf.all.accept_ra_defrtr
Accept default router in router advertisements?Value -
Restrict ICMP Message Types
In <code>/etc/sysconfig/iptables</code>, the accepted ICMP messages types can be restricted. To accept only ICMP echo reply, destination unreachabl...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.