Skip to content

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server

Rules and Groups employed by this XCCDF Profile

  • Verify Group Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by ssh_keys group.
    Rule Medium Severity
  • Verify Group Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
    Rule Medium Severity
  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command:
    $ sudo chown root /etc/ssh/sshd_config 
    Rule Medium Severity
  • Verify Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
    Rule Medium Severity
  • Verify Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
    Rule Medium Severity
  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command:
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...
    Rule Medium Severity
  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command:
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...
    Group
  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...
    Rule Medium Severity
  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automat...
    Rule Medium Severity
  • Disable Host-Based Authentication

    SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts un...
    Rule Medium Severity
  • Disable SSH Access via Empty Passwords

    Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used ...
    Rule High Severity
  • Disable GSSAPI Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows ...
    Rule Medium Severity
  • Disable SSH Support for .rhosts Files

    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> fil...
    Rule Medium Severity
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...
    Rule Medium Severity
  • Do Not Allow SSH Environment Options

    Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment process...
    Rule Medium Severity
  • Enable PAM

    UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentica...
    Rule Medium Severity
  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>...
    Rule Medium Severity
  • Limit Users' SSH Access

    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users an...
    Rule Unknown Severity
  • Ensure SSH LoginGraceTime is configured

    The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...
    Rule Medium Severity
  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...
    Rule Medium Severity
  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...
    Rule Medium Severity
  • Set SSH MaxSessions limit

    The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...
    Rule Medium Severity
  • Ensure SSH MaxStartups is configured

    The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The foll...
    Rule Medium Severity
  • Use Only Strong Key Exchange algorithms

    Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms ...
    Rule Medium Severity
  • Use Only Strong MACs

    Limit the MACs to strong hash algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those MACs: <pre>MACs <xccdf-...
    Rule Medium Severity
  • X Window System

    The X Window System implementation included with the system is called X.org.
    Group
  • Disable X Windows

    Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...
    Group
  • Remove the X Windows Package Group

    By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot ...
    Rule Medium Severity
  • Disable X Windows Startup By Setting Default Target

    Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accident...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

    The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...
    Rule Medium Severity
  • Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty

    Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></cod...
    Rule Medium Severity
  • Ensure Authentication Required for Single User Mode

    Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.
    Rule Medium Severity
  • Enforce Usage of pam_wheel with Group Parameter for su Authentication

    To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands wi...
    Rule Medium Severity
  • Ensure users' .netrc Files are not group or world accessible

    While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures ev...
    Rule Medium Severity
  • Record Events When Executables Are Run As Another User

    Verify the system generates an audit record when actions are run as another user. sudo provides users with temporary elevated privileges to perform...
    Rule Medium Severity
  • Record Attempts to perform maintenance activities

    The Red Hat Enterprise Linux 7 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions an...
    Rule Medium Severity
  • System Audit Logs Must Be Group Owned By Root

    All audit logs must be group owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/au...
    Rule Medium Severity
  • System Audit Logs Must Be Owned By Root

    All audit logs must be owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.c...
    Rule Medium Severity
  • Record Any Attempts to Run chacl

    At a minimum, the audit system should collect any execution attempt of the <code>chacl</code> command for all users and root. If the <code>auditd</...
    Rule Medium Severity
  • Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Ensure auditd Collects Information on the Use of Privileged Commands - usermod

    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is con...
    Rule Medium Severity
  • Disable systemd-journal-remote Socket

    Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts....
    Rule Medium Severity
  • Verify Permissions and Ownership of Old Passwords File

    To properly set the owner of <code>/etc/security/opasswd</code>, run the command: <pre>$ sudo chown root /etc/security/opasswd </pre> To properly ...
    Rule Medium Severity
  • Verify Group Who Owns /etc/shells File

    To properly set the group owner of /etc/shells, run the command:
    $ sudo chgrp root /etc/shells
    Rule Medium Severity
  • Verify Who Owns /etc/shells File

    To properly set the owner of /etc/shells, run the command:
    $ sudo chown root /etc/shells 
    Rule Medium Severity
  • Verify Permissions on /etc/shells File

    To properly set the permissions of /etc/shells, run the command:
    $ sudo chmod 0644 /etc/shells
    Rule Medium Severity
  • Verify that audit tools are owned by group root

    The Red Hat Enterprise Linux 7 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Ve...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules