Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Avahi Publishing
To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[pu...Rule Low Severity -
Serve Avahi Only via Required Protocol
If you are using only IPv4, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line exists in the <code>[server]</code> sectio...Rule Low Severity -
Prevent Other Programs from Using Avahi's Port
To prevent other mDNS stacks from running, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[serve...Rule Medium Severity -
Restrict Information Published by Avahi
If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by...Rule Low Severity -
Disable Avahi Server if Possible
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability t...Group -
Uninstall avahi-autoipd Server Package
If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and ...Rule Medium Severity -
Uninstall avahi Server Package
If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and a...Rule Medium Severity -
Disable Avahi Server Software
Theavahi-daemonservice can be disabled with the following command:$ sudo systemctl mask --now avahi-daemon.service
Rule Medium Severity -
Base Services
This section addresses the base services that are installed on a Red Hat Enterprise Linux 8 default installation which are not covered in other sec...Group -
Install the psacct package
The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...Rule Low Severity -
Uninstall Automatic Bug Reporting Tool (abrt)
The Automatic Bug Reporting Tool (<code>abrt</code>) collects and reports crash data when an application crash is detected. Using a variety of plug...Rule Medium Severity -
Enable Process Accounting (psacct)
The process accounting service, <code>psacct</code>, works with programs including <code>acct</code> and <code>ac</code> to allow system administra...Rule Low Severity -
Disable Automatic Bug Reporting Tool (abrtd)
The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects and reports crash data when an application crash is detected. Using a variety...Rule Medium Severity -
Disable Advanced Configuration and Power Interface (acpid)
The Advanced Configuration and Power Interface Daemon (<code>acpid</code>) dispatches ACPI events (such as power/reset button depressed) to userspa...Rule Medium Severity -
Disable Certmonger Service (certmonger)
Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructu...Rule Low Severity -
Disable Cockpit Management Server
The Cockpit Management Server (<code>cockpit</code>) provides a web based login and management framework. The <code>cockpit</code> service can be ...Rule Medium Severity -
Disable CPU Speed (cpupower)
The <code>cpupower</code> service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and ...Rule Low Severity -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...Rule Medium Severity -
Disable Software RAID Monitor (mdmonitor)
The <code>mdmonitor</code> service is used for monitoring a software RAID array; hardware RAID setups do not use this service. The <code>mdmonitor...Rule Low Severity -
Disable Network Console (netconsole)
The <code>netconsole</code> service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.