DISA STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Configure Operating System to Protect Mail Server
The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or...Group -
Configure Postfix if Necessary
Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is/etc/postfix/main.cf.Group -
Control Mail Relaying
Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on t...Group -
Prevent Unrestricted Mail Relaying
Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postcon...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Mount Remote Filesystems with Kerberos Security
Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...Rule Medium Severity -
Mount Remote Filesystems with noexec
Add thenoexecoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo yum erase ypserv
Rule High Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo yum erase rsh-server
Rule High Severity -
Remove Host-Based Authentication Files
The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following comm...Rule High Severity -
Remove User Host-Based Authentication Files
The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these ...Rule High Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.