Skip to content
Log In

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Restrict Serial Port Root Logins

    To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 
    ttyS0
ttyS1
    Rule Medium Severity
    Show

  • Root Path Must Be Vendor Default

    Assuming root shell is bash, edit the following files: <pre>~/.profile</pre> <pre>~/.bashrc</pre> Change any <code>PATH</code> variables to the vendor default for root and remove ...
    Rule Unknown Severity
    Show

  • Restrict Virtual Console Root Logins

    To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: 
    vc/1
vc/2
vc/3
vc/4
    Rule Medium Severity
    Show

  • Enforce usage of pam_wheel for su authentication

    To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> command, make sure that the following line exists in t...
    Rule Medium Severity
    Show

  • net.ipv6.conf.all.router_solicitations

    Accept all router solicitations?
    Value
    Show

  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissi...
    Group
    Show

  • Maximum login attempts delay

    Maximum time in seconds between fail login attempts before re-prompting.
    Value
    Show

  • Maximum concurrent login sessions

    Maximum number of concurrent sessions by a user
    Value
    Show

  • Account Inactivity Timeout (seconds)

    In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does...
    Value
    Show

  • Interactive users initialization files

    'A regular expression describing a list of file names for files that are sourced at login time for interactive users'
    Value
    Show

  • Ensure the Logon Failure Delay is Set Correctly in login.defs

    To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in <code>/etc/login.defs</code> to read as follows: ...
    Rule Medium Severity
    Show

  • Limit the Number of Concurrent Login Sessions Allowed Per User

    Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurr...
    Rule Low Severity
    Show

  • Configure Polyinstantiation of /tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...
    Rule Low Severity
    Show

  • Configure Polyinstantiation of /var/tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...
    Rule Low Severity
    Show

  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...
    Rule Medium Severity
    Show

  • net.ipv6.conf.default.accept_ra_defrtr

    Accept default router in router advertisements?
    Value
    Show

  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...
    Rule Medium Severity
    Show

  • Ensure that Users Path Contains Only Local Directories

    Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
    Rule Medium Severity
    Show

  • All Interactive Users Must Have A Home Directory Defined

    Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files ...
    Rule Medium Severity
    Show

  • Ensure users' .netrc Files are not group or world accessible

    While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures every .netrc file or directory under the home direct...
    Rule Medium Severity
    Show

  • All Interactive User Home Directories Must Be Owned By The Primary User

    Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: <pre>$ sudo chown <i>USER</i> /ho...
    Rule Medium Severity
    Show

  • Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

    Set the mode of the user initialization files to 0740 with the following command: 
    $ sudo chmod 0740 /home/USER/.INIT_FILE
    Rule Medium Severity
    Show

  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the following command: <pre>$ sudo chmod 0750 /home/<i>USER</...
    Rule Medium Severity
    Show

  • Ensure that No Dangerous Directories Exist in Root's Path

    The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-separated list of directories in the path. <br> ...
    Group
    Show

  • Ensure that Root's Path Does Not Include World or Group-Writable Directories

    For each element in root's path, run: 
    # ls -ld DIR
    and ensure that write permissions are disabled for group and other.
    Rule Medium Severity
    Show

  • Ensure that Root's Path Does Not Include Relative Paths or Null Directories

    Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to relative path traversal, such as <code>..</code> or ...
    Rule Unknown Severity
    Show

  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...
    Group
    Show

  • Sensible umask

    Enter default user umask
    Value
    Show

  • Ensure the Default Umask is Set Correctly in /etc/profile

    To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...
    Rule Medium Severity
    Show

  • Ensure the Default Umask is Set Correctly For Interactive Users

    Remove the UMASK environment variable from all interactive users initialization files.
    Rule Medium Severity
    Show

  • net.ipv6.conf.default.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
    Show

  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...
    Group
    Show

  • Install audispd-plugins Package

    The audispd-plugins package can be installed with the following command: 
    $ sudo yum install audispd-plugins
    Rule Medium Severity
    Show

  • Ensure the default plugins for the audit dispatcher are Installed

    The audit-audispd-plugins package should be installed.
    Rule Medium Severity
    Show

  • net.ipv6.conf.default.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
    Show

  • net.ipv6.conf.default.accept_ra

    Accept default router advertisements by default?
    Value
    Show

  • net.ipv6.conf.default.accept_redirects

    Toggle ICMP Redirect Acceptance By Default
    Value
    Show

  • Disable vsyscalls in zIPL

    To disable use of virtual syscalls, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>vsyscall=none</code> included in its options.<br> To ensure that new kernels a...
    Rule Medium Severity
    Show

  • Protect Random-Number Entropy Pool

    The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a reliable source to contribute to random-number entro...
    Group
    Show

  • net.ipv6.conf.default.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv6.conf.default.autoconf

    Enable auto configuration on IPv6 interfaces
    Value
    Show

  • net.ipv6.conf.default.max_addresses

    Maximum number of autoconfigured IPv6 addresses
    Value
    Show

  • net.ipv6.conf.default.router_solicitations

    Accept all router solicitations by default?
    Value
    Show

  • net.ipv4.conf.default.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default.
    Value
    Show

  • container_connect_any SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • cron_can_relabel SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • Record Information on the Use of Privileged Commands

    At a minimum, the audit system should collect the execution of privileged commands for all users and root.
    Group
    Show

  • cron_system_cronjob_use_shares SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules