RHV hardening based on STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Configure Multiple DNS Servers in /etc/resolv.conf
Determine whether the system is using local or DNS name resolution with the following command: <pre>$ sudo grep hosts /etc/nsswitch.conf hosts: files dns</pre> If the DNS entry is missing from the...Rule Medium Severity -
Ensure System is Not Acting as a Network Sniffer
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuou...Rule Medium Severity -
firewalld
The dynamic firewall daemon <code>firewalld</code> provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections an...Group -
Inspect and Activate Default firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. <code>NetworkManager</code>...Group -
Verify firewalld Enabled
Thefirewalldservice can be enabled with the following command:$ sudo systemctl enable firewalld.service
Rule Medium Severity -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the <code>/etc/firewalld/services</code> and <code>...Group -
Configure the Firewalld Ports
Configure the <code>firewalld</code> ports to allow approved services to have access to the system. To configure <code>firewalld</code> to open ports, run the following command: <pre>firewall-cmd -...Rule Medium Severity -
Set Default firewalld Zone for Incoming Packets
To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in <code>/etc/firewalld/firewalld.conf</code> to...Rule Medium Severity -
IPSec Support
Support for Internet Protocol Security (IPsec) is provided with Libreswan.Group -
Verify Any Configured IPSec Tunnel Connections
Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements su...Rule Medium Severity -
IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...Group -
Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively pre...Group -
Disable Support for RPC IPv6
RPC services for NFSv4 try to load transport modules for <code>udp6</code> and <code>tcp6</code> by default, even if IPv6 has been disabled in <code>/etc/modprobe.d</code>. To prevent RPC services ...Rule Unknown Severity -
Disable IPv6 Addressing on All IPv6 Interfaces
To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....Rule Medium Severity -
Configure IPv6 Settings if Necessary
A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually...Group -
Use Privacy Extensions for Address
To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>: <pre>IPV6_PRIVACY=r...Rule Unknown Severity -
Configure Accepting Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> To make sure that th...Rule Medium Severity -
Disable Accepting ICMP Redirects for All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> To mak...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Disable Kernel Parameter for IPv6 Forwarding
To set the runtime status of the <code>net.ipv6.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.forwarding=0</pre> To make sure that ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.