Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
cron_userdomain_transition SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Action for auditd to take when disk space just starts to run low
The setting for space_left_action in /etc/audit/auditd.confValue -
The percentage remaining in disk space before prompting space_left_action
The setting for space_left as a percentage in /etc/audit/auditd.confValue -
cups_execmem SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Records Events that Modify Date and Time Information
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All c...Group -
cvs_read_shadow SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
L1TF vulnerability mitigation
Defines the L1TF vulneratility mitigations to employ.Value -
MDS vulnerability mitigation
Defines the MDS vulneratility mitigation to employ.Value -
Confidence level on Hardware Random Number Generator
Defines the level of trust on the hardware random number generators available in the system and the percentage of entropy to credit.Value -
Spec Store Bypass Mitigation
This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.Value -
Force kernel panic on uncorrected MCEs
A Machine Check Exception is an error generated by the CPU itdetects an error in itself, memory or I/O devices. These errors may be corrected and generate a check log entry, if an error cannot be c...Rule Medium Severity -
Ensure SMAP is not disabled during boot
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default since Linux kernel 3.7. But it could be disabled t...Rule Medium Severity -
Ensure SMEP is not disabled during boot
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure tha...Rule Medium Severity -
Enable Kernel Page-Table Isolation (KPTI)
To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>pti=on</code> is added as a kerne...Rule Low Severity -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
Configure Speculative Store Bypass Mitigation
Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory loca...Rule Medium Severity -
Enforce Spectre v2 mitigation
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch cho...Rule High Severity -
Ensure debug-shell service is not enabled during boot
systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root she...Rule Medium Severity -
Disable vsyscalls
To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>vsyscall=none</code> is added...Rule Medium Severity -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
Disable Logwatch on Clients if a Logserver Exists
Does your site have a central logserver which has been configured to report on logs received from all systems? If so: <pre>$ sudo rm /etc/cron.daily/0logwatch</pre> If no logserver exists, it will ...Rule Unknown Severity -
zIPL bootloader configuration
During the boot process, the bootloader is responsible for starting the execution of the kernel and passing options to it. The default Red Hat Enterprise Linux 8 boot loader for s390x systems is ca...Group -
Enable Auditing to Start Prior to the Audit Daemon in zIPL
To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>audit=1</code> included ...Rule Medium Severity -
Extend Audit Backlog Limit for the Audit Daemon in zIPL
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>audit_ba...Rule Medium Severity -
Ensure all zIPL boot entries are BLS compliant
Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that/etc/zipl.confdoesn't containimage =.Rule Medium Severity -
Ensure zIPL bootmap is up to date
Make sure that <code>/boot/bootmap</code> is up to date.<br> Every time a boot entry or zIPL configuration is changed <code>/boot/bootmap</code> needs to be updated to reflect the changes.<br> Run ...Rule Medium Severity -
Ensure SELinux Not Disabled in zIPL
To ensure SELinux is not disabled at boot time, check that no boot entry in/boot/loader/entries/*.confhasselinux=0included in its options.
Rule Medium Severity -
Enable page allocator poisoning in zIPL
To enable poisoning of free pages, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>page_poison=1</code> included in its options.<br> To ensure that new kernels an...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning in zIPL
To enable poisoning of SLUB/SLAB objects, check that all boot entries in <code>/boot/loader/entries/*.conf</code> have <code>slub_debug=P</code> included in its options.<br> To ensure that new kern...Rule Medium Severity -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Key and certificate for kernel module signing
The private key and certificate to use when signing modules during kernel build process. On systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512 In the latter...Value -
Kernel panic timeout
The time, in seconds, to wait until a reboot occurs. If the value is0the system never reboots. If the value is less than0the system reboots immediately.Value -
Do not allow ACPI methods to be inserted/replaced at run time
This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build k...Rule Low Severity -
Emulate Privileged Access Never (PAN)
Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR...Rule Medium Severity -
Disable kernel support for MISC binaries
Enabling <code>CONFIG_BINFMT_MISC</code> makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Py...Rule Medium Severity -
Enable support for BUG()
Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this...Rule Medium Severity -
Trigger a kernel BUG when data corruption is detected
This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configuration is available from kernel 4.10. The configurat...Rule Low Severity -
Disable compatibility with brk()
Enabling compatiliby with <code>brk()</code> allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the cost of not being able to randomize the heap placem...Rule Medium Severity -
daemons_dump_core SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
Disable the 32-bit vDSO
Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting <code>CONFIG_COMPAT_VDSO</code>...Rule Low Severity -
Enable checks on credential management
Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that th...Rule Low Severity -
Disable kernel debugfs
<code>debugfs</code> is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files. The configuration that was use...Rule Low Severity -
Enable checks on linked list manipulation
Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configurat...Rule Low Severity -
Enable checks on notifier call chains
Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. The config...Rule Low Severity -
Enable checks on scatter-gather (SG) table operations
Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The configuration that was used to build kernel is availab...Rule Low Severity -
Warn on W+X mappings found at boot
Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to build kernel is available at <code>/boot/config-*</cod...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.