Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The robots.txt Files Must Not Exist
Remove any <code>robots.txt</code> files that may exist with any web content. Other methods must be employed if there is information on the web sit...Rule Medium Severity -
Ensure Web Content Located on Separate partition
The <code>DocumentRoot</code> directory is used for storing web content and data. Ensure that the <code>DocumentRoot</code> directory exists on a s...Rule Medium Severity -
Use Denial-of-Service Protection Modules
Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shapin...Group -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...Group -
Configure Dovecot if Necessary
If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below.Group -
Allow IMAP Clients to Access the Server
The default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connection...Group -
Enable SSL Support
SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot server in order ...Group -
Configure Dovecot to Use the SSL Certificate file
This option tells Dovecot where to find the mail server's SSL Certificate. <br><br> Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or co...Rule Unknown Severity -
Configure Dovecot to Use the SSL Key file
This option tells Dovecot where to find the mail server's SSL Key. <br><br> Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct th...Rule Unknown Severity -
Enable the SSL flag in /etc/dovecot.conf
To allow clients to make encrypted connections the <code>ssl</code> flag in Dovecot's configuration file needs to be set to <code>yes</code>. <br><...Rule Unknown Severity -
Support Only the Necessary Protocols
Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server to support only ...Group -
Disable Cyrus IMAP
If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.Group -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo yum erase cyrus-imapd
Rule Unknown Severity -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
Uninstall dovecot Package
Thedovecotpackage can be removed with the following command:$ sudo yum erase dovecot
Rule Unknown Severity -
Disable Dovecot Service
Thedovecotservice can be disabled with the following command:$ sudo systemctl mask --now dovecot.service
Rule Unknown Severity -
Kerberos
The Kerberos protocol is used for authentication across non-secure network. Authentication can happen between various types of principals -- users,...Group -
Remove the Kerberos Server Package
The <code>krb5-server</code> package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The <code>krb...Rule Medium Severity -
Disable Kerberos by removing host keytab
Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab fi...Rule Medium Severity -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 8 incl...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.