Skip to content

DISA STIG for Red Hat Enterprise Linux 9

Rules and Groups employed by this XCCDF Profile

  • Disable Quagga if Possible

    If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.
    Group
  • Uninstall quagga Package

    The quagga package can be removed with the following command:
     $ sudo dnf erase quagga
    Rule Low Severity
  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...
    Group
  • Install OpenSSH client software

    The openssh-clients package can be installed with the following command:
    $ sudo dnf install openssh-clients
    Rule Medium Severity
  • Install the OpenSSH Server Package

    The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <...
    Rule Medium Severity
  • Enable the OpenSSH Service

    The SSH server service, sshd, is commonly needed. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl e...
    Rule Medium Severity
  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command:
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command:
    $ sudo chown root /etc/ssh/sshd_config 
    Rule Medium Severity
  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command:
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...
    Rule Medium Severity
  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command:
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
  • Configure OpenSSH Client if Necessary

    The following configuration changes apply to the SSH client. They can improve security parameters relwevant to the client user, e.g. increasing ent...
    Group
  • Verify the SSH Private Key Files Have a Passcode

    When creating SSH key pairs, always use a passcode. <br> You can create such keys with the following command: <pre>$ sudo ssh-keygen -n [passphrase...
    Rule Medium Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...
    Group
  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...
    Rule Medium Severity
  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automat...
    Rule Medium Severity
  • Disable Host-Based Authentication

    SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts un...
    Rule Medium Severity
  • Enable SSH Server firewalld Firewall Exception

    If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld...
    Rule Medium Severity
  • Disable Compression Or Set Compression to delayed

    Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is req...
    Rule Medium Severity
  • Disable SSH Access via Empty Passwords

    Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used ...
    Rule High Severity
  • Disable GSSAPI Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows ...
    Rule Medium Severity
  • Disable Kerberos Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallow...
    Rule Medium Severity
  • Disable SSH Support for .rhosts Files

    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> fil...
    Rule Medium Severity
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...
    Rule Medium Severity
  • Disable SSH Support for User Known Hosts

    SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled. <br><br> To e...
    Rule Medium Severity
  • Disable X11 Forwarding

    The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the cap...
    Rule Medium Severity
  • Do Not Allow SSH Environment Options

    Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment process...
    Rule Medium Severity
  • Enable PAM

    UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentica...
    Rule Medium Severity
  • Enable Public Key Authentication

    Enable SSH login with public keys. <br> The default SSH configuration enables authentication based on public keys. The appropriate configuration is...
    Rule Medium Severity
  • Enable Use of Strict Mode Checking

    SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting l...
    Rule Medium Severity
  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config.d/00-...
    Rule Medium Severity
  • Enable SSH Print Last Log

    Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date a...
    Rule Medium Severity
  • Force frequent session key renegotiation

    The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be trans...
    Rule Medium Severity
  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Prevent remote hosts from connecting to the proxy display

    The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code...
    Rule Medium Severity
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • Certificate status checking in SSSD

    Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-ba...
    Rule Medium Severity
  • Enable Certmap in SSSD

    SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like <code>certmap/testing.test/rule_...
    Rule Medium Severity
  • Enable Smartcards in SSSD

    SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...
    Rule Medium Severity
  • SSSD Has a Correct Trust Anchor

    SSSD must have acceptable trust anchor present.
    Rule Medium Severity
  • Configure SSSD to Expire Offline Credentials

    SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...
    Rule Medium Severity
  • USBGuard daemon

    The USBGuard daemon enforces the USB device authorization policy for all USB devices.
    Group
  • Install usbguard Package

    The usbguard package can be installed with the following command:
    $ sudo dnf install usbguard
    Rule Medium Severity
  • Enable the USBGuard Service

    The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...
    Rule Medium Severity
  • Log USBGuard daemon audit events using Linux Audit

    To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbgua...
    Rule Low Severity
  • Generate USBGuard Policy

    By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent...
    Rule Medium Severity
  • X Window System

    The X Window System implementation included with the system is called X.org.
    Group
  • Disable X Windows

    Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...
    Group
  • Disable graphical user interface

    By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-serv...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules