Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SSH Strong MACs by FIPS

    Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.
    Value
  • Restrict unprivileged access to the kernel syslog

    Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at...
    Rule Medium Severity
  • Randomize slab freelist

    Randomizes the freelist order used on creating new pages. This configuration is available from kernel 5.9, but may be available if backported by di...
    Rule Medium Severity
  • Verify Group Who Owns cron.deny

    To properly set the group owner of /etc/cron.deny, run the command:
    $ sudo chgrp root /etc/cron.deny
    Rule Medium Severity
  • Verify Owner on cron.deny

    To properly set the owner of /etc/cron.deny, run the command:
    $ sudo chown root /etc/cron.deny 
    Rule Medium Severity
  • Verify File Hashes with RPM

    Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...
    Rule High Severity
  • Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the ...
    Rule Medium Severity
  • Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the ...
    Rule Medium Severity
  • Ensure /dev/shm is configured

    The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...
    Rule Low Severity
  • Install cryptsetup Package

    The cryptsetup package can be installed with the following command:
    $ sudo dnf install cryptsetup
    Rule Medium Severity
  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
  • Lock Accounts After Failed Password Attempts

    This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...
    Rule Medium Severity
  • Set existing passwords a period of inactivity before they been locked

    Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: <pre...
    Rule Medium Severity
  • Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty

    Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></cod...
    Rule Medium Severity
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • Ensure auditd Collects Information on Kernel Module Loading and Unloading

    To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for b...
    Rule Medium Severity
  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Group
  • Record Attempts to Alter Logon and Logout Events

    The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenr...
    Rule Medium Severity
  • Type of hostname to record the audit event

    Type of hostname to record the audit event
    Value
  • Set type of computer node name logging in audit logs

    To configure Audit daemon to use a unique identifier as computer node name in the audit events, set <code>name_format</code> to <code><xccdf-1.2:su...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules