Skip to content

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Enable checks on scatter-gather (SG) table operations

    Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The conf...
    Rule Low Severity
  • Warn on W+X mappings found at boot

    Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to buil...
    Rule Medium Severity
  • Configure low address space to protect from user allocation

    This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, bu...
    Rule Medium Severity
  • Disable /dev/kmem virtual device support

    Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To chec...
    Rule Low Severity
  • Harden common str/mem functions against buffer overflows

    Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuratio...
    Rule Medium Severity
  • Harden memory copies between kernel and userspace

    This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by...
    Rule High Severity
  • Do not allow usercopy whitelist violations to fallback to object size

    This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, ...
    Rule High Severity
  • Disable hibernation

    Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it ...
    Rule Medium Severity
  • Disable IA32 emulation

    Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/con...
    Rule Medium Severity
  • Disable the IPv6 protocol

    Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check...
    Rule Medium Severity
  • Disable kexec system call

    <code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot b...
    Rule Low Severity
  • Disable legacy (BSD) PTY support

    Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern...
    Rule Medium Severity
  • Disable vsyscall emulation

    The kernel traps and emulates calls into the fixed vsyscall address mapping. This configuration is available from kernel 5.3, but may be available ...
    Rule Medium Severity
  • Disable vsyscall mapping

    This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspac...
    Rule Medium Severity
  • Disable vsyscall emulate execution only

    The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5...
    Rule Medium Severity
  • Disable the LDT (local descriptor table)

    Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to ru...
    Rule Medium Severity
  • Enable module signature verification

    Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the ...
    Rule Medium Severity
  • Enable automatic signing of all modules

    Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configur...
    Rule Medium Severity
  • Require modules to be validly signed

    Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-...
    Rule Medium Severity
  • Specify the hash to use when signing modules

    This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_ha...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules