Skip to content
Log In

DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)

Rules and Groups employed by this XCCDF Profile

  • Verify Group Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chgrp root /etc/c...
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chown root /etc/cron.allow </...
    Rule Medium Severity
    Show

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...
    Group
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command: 
     $ sudo yum erase vsftpd
    Rule High Severity
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Virtualization 4 includes software that enables a system to act as both a...
    Group
    Show

  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Red Hat Virtualization 4 provid...
    Group
    Show

  • Configure LDAP Client to Use TLS For All Transactions

    This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions. <br> <br> To determine if LDAP is being used for authentication, use t...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...
    Group
    Show

  • Mount Remote Filesystems with nodev

    Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with noexec

    Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Mount Remote Filesystems with nosuid

    Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
    Rule Medium Severity
    Show

  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
    Show

  • Use Kerberos Security on All Exports

    Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add <code>sec=krb5:krb5i:krb5p</cod...
    Rule Medium Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • Enable the NTP Daemon

    Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...
    Rule Medium Severity
    Show

  • Configure Time Service Maxpoll Interval

    The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...
    Rule Medium Severity
    Show

  • Specify Additional Remote NTP Servers

    Depending on specific functional requirements of a concrete production environment, the Red Hat Virtualization 4 system can be configured to utilize the services of the <code>chronyd</code> NTP dae...
    Rule Medium Severity
    Show

  • Specify a Remote NTP Server

    Depending on specific functional requirements of a concrete production environment, the Red Hat Virtualization 4 system can be configured to utilize the services of the <code>chronyd</code> NTP dae...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...
    Group
    Show

  • Uninstall xinetd Package

    The xinetd package can be removed with the following command: 
    $ sudo yum erase xinetd
    Rule Low Severity
    Show

  • Disable xinetd Service

    The xinetd service can be disabled with the following command: 
    $ sudo systemctl mask --now xinetd.service
    Rule Medium Severity
    Show

  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...
    Group
    Show

  • Uninstall ypserv Package

    The ypserv package can be removed with the following command: 
    $ sudo yum erase ypserv
    Rule High Severity
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Uninstall rsh-server Package

    The rsh-server package can be removed with the following command: 
    $ sudo yum erase rsh-server
    Rule High Severity
    Show

  • Disable rexec Service

    The <code>rexec</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xine...
    Rule High Severity
    Show

  • Disable rlogin Service

    The <code>rlogin</code> service, which is available with the <code>rsh-server</code> package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xin...
    Rule High Severity
    Show

  • Remove Host-Based Authentication Files

    The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: <pre>$ sudo ...
    Rule High Severity
    Show

  • Remove User Host-Based Authentication Files

    The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them fr...
    Rule High Severity
    Show

  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
    Show

  • Uninstall talk-server Package

    The talk-server package can be removed with the following command: 
     $ sudo yum erase talk-server
    Rule Medium Severity
    Show

  • Uninstall talk Package

    The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which ...
    Rule Medium Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...
    Group
    Show

  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command: 
    $ sudo yum erase telnet-server
    Rule High Severity
    Show

  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
    Show

  • Disable telnet Service

    Make sure that the activation of the <code>telnet</code> service on system boot is disabled. The <code>telnet</code> socket can be disabled with the following command: <pre>$ sudo systemctl mask -...
    Rule High Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo yum erase tftp-server
    Rule High Severity
    Show

  • Ensure tftp Daemon Uses Secure Mode

    If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, ensure <code>/etc/xinetd.d/tftp</code> includes...
    Rule Medium Severity
    Show

  • Network Routing

    A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to network segments, gateways to other networks, filt...
    Group
    Show

  • Disable Quagga if Possible

    If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed.
    Group
    Show

  • Disable Quagga Service

    The zebra service can be disabled with the following command: 
    $ sudo systemctl mask --now zebra.service
    Rule Medium Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Install the OpenSSH Server Package

    The openssh-server package should be installed. The openssh-server package can be installed with the following command: 
    $ sudo yum install openssh-server
    Rule Medium Severity
    Show

  • Enable the OpenSSH Service

    The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: 
    $ sudo systemctl enable sshd.service
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules