RHV hardening based on STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Do Not Allow SSH Environment Options
Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment process...Rule Medium Severity -
Enable Use of Strict Mode Checking
SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting l...Rule Medium Severity -
Enable SSH Warning Banner
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code...Rule Medium Severity -
Enable Encrypted X11 Forwarding
By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's <...Rule High Severity -
Enable SSH Print Last Log
Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date a...Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The foll...Rule Medium Severity -
Use Only FIPS 140-2 Validated MACs
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...Rule Medium Severity -
Enable Use of Privilege Separation
When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...Rule Medium Severity -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
Configure PAM in SSSD Services
SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code...Rule Medium Severity -
Enable Smartcards in SSSD
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to ...Rule Medium Severity -
Configure SSSD's Memory Cache to Expire
SSSD's memory cache should be configured to set to expire records after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_mem...Rule Medium Severity -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...Rule Medium Severity -
Configure SSSD to Expire SSH Known Hosts
SSSD should be configured to expire keys from known SSH hosts after <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_kno...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...Group -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.