DISA STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Ensure No Device Files are Unlabeled by SELinux
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files ca...Rule Medium Severity -
Confine SELinux Users To Roles That Conform To Least Privilege
Configure the operating system to confine SELinux users to roles that conform to least privilege. Use the following command to map the "staff_u" SE...Rule Medium Severity -
Elevate The SELinux Context When An Administrator Calls The Sudo Command
Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d direc...Rule Medium Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
Map System Users To The Appropriate SELinux Role
Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering...Rule Medium Severity -
SELinux - Booleans
Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.Group -
Disable the ssh_sysadm_login SELinux Boolean
By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...Group -
Base Services
This section addresses the base services that are installed on a Red Hat Enterprise Linux 7 default installation which are not covered in other sec...Group -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...Rule Medium Severity -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...Group -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...Group -
Verify Group Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</cod...Rule Medium Severity -
Verify User Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the ...Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...Group -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Uninstall vsftpd Package
Thevsftpdpackage can be removed with the following command:$ sudo yum erase vsftpd
Rule High Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
The mailx Package Is Installed
A mail server is required for sending emails. The <code>mailx</code> package can be installed with the following command: <pre> $ sudo yum install ...Rule Medium Severity -
Configure Operating System to Protect Mail Server
The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or...Group -
Configure Postfix if Necessary
Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is/etc/postfix/main.cf.Group -
Control Mail Relaying
Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on t...Group -
Prevent Unrestricted Mail Relaying
Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postcon...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Mount Remote Filesystems with Kerberos Security
Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mo...Rule Medium Severity -
Mount Remote Filesystems with noexec
Add thenoexecoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo yum erase ypserv
Rule High Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo yum erase rsh-server
Rule High Severity -
Remove Host-Based Authentication Files
The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following comm...Rule High Severity -
Remove User Host-Based Authentication Files
The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these ...Rule High Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo yum erase telnet-server
Rule High Severity -
TFTP Server
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...Group -
Uninstall tftp-server Package
Thetftp-serverpackage can be removed with the following command:$ sudo yum erase tftp-server
Rule High Severity -
Ensure tftp Daemon Uses Secure Mode
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do s...Rule Medium Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP w...Group -
Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation...Group -
Ensure Default SNMP Password Is Not Used
Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of <code>public</code> and <code>private</code>. This profil...Rule High Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Install the OpenSSH Server Package
The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <...Rule Medium Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl e...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules