RHV hardening based on STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Operating System Vendor Support and Certification
The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stabili...Group -
The Installed Operating System Is FIPS 140-2 Certified
To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard....Rule High Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative secur...Group -
Install Virus Scanning Software
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate syste...Rule High Severity -
Install Intrusion Detection Software
The base Red Hat Enterprise Linux 7 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux...Rule High Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Encrypt Partitions
Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest...Rule High Severity -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...Rule Low Severity -
Ensure /tmp Located On Separate Partition
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...Rule Low Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...Group -
Remove the GDM Package Group
By removing the <code>gdm</code> package, the system no longer has GNOME installed installed. If X Windows is not installed then the system canno...Rule Medium Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This shoul...Rule Medium Severity -
Only the VDSM User Can Use sudo NOPASSWD
The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the <code>vds...Rule Medium Severity -
Updating Software
The <code>yum</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Ensure yum Removes Previous Package Versions
<code>yum</code> should be configured to remove previous software components after new versions have been installed. To configure <code>yum</code> ...Rule Low Severity -
Ensure gpgcheck Enabled In Main yum Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check pack...Rule High Severity -
Ensure gpgcheck Enabled for Local Packages
<code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify s...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.