CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
Rules and Groups employed by this XCCDF Profile
-
TFTP Server
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...Group -
Uninstall tftp-server Package
Thetftp-serverpackage can be removed with the following command:$ sudo yum erase tftp-server
Rule High Severity -
Remove tftp Daemon
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication ...Rule Low Severity -
Print Support
The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send t...Group -
Disable the CUPS Service
Thecupsservice can be disabled with the following command:$ sudo systemctl mask --now cups.service
Rule Unknown Severity -
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Uninstall squid Package
Thesquidpackage can be removed with the following command:$ sudo yum erase squid
Rule Unknown Severity -
Samba(SMB) Microsoft Windows File Sharing Server
When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...Group -
Disable Samba if Possible
Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing fun...Group -
Uninstall Samba Package
Thesambapackage can be removed with the following command:$ sudo yum erase samba
Rule Unknown Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...Group -
Uninstall net-snmp Package
Thenet-snmppackage provides the snmpd service. Thenet-snmppackage can be removed with the following command:$ sudo yum erase net-snmp
Rule Unknown Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byssh_keysgroup.Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
Set SSH Client Alive Count Max
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...Rule Medium Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To se...Rule Medium Severity -
Disable Host-Based Authentication
SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organ...Rule Medium Severity -
Disable SSH Access via Empty Passwords
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for <code>PermitEmptyPasswords<...Rule High Severity -
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> files. <br> The default SSH configuration disables su...Rule Medium Severity -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...Rule Medium Severity -
Do Not Allow SSH Environment Options
Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment processing. The appropriate configuration is used if no v...Rule Medium Severity -
Enable PAM
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM...Rule Medium Severity -
Enable SSH Warning Banner
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Banner /etc/issue.net</pre> Another sectio...Rule Medium Severity -
Limit Users' SSH Access
By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recom...Rule Unknown Severity -
Ensure SSH LoginGraceTime is configured
The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated ...Rule Medium Severity -
Set SSH Daemon LogLevel to VERBOSE
The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in <code>/etc/ssh/sshd_config<...Rule Medium Severity -
Set SSH authentication attempt limit
The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures ar...Rule Medium Severity -
Set SSH MaxSessions limit
The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <code>/etc/ssh/sshd_config</code> as follows: <pre>Ma...Rule Medium Severity -
Ensure SSH MaxStartups is configured
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the Login...Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/etc/ssh/sshd_config</code> de...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is u...Group -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the s...Rule Medium Severity -
Disable X Windows Startup By Setting Default Target
Systems that do not require a graphical user interface should only boot by default into <code>multi-user.target</code> mode. This prevents accidental booting of the system into a <code>graphical.ta...Rule Medium Severity -
Ensure Authentication Required for Single User Mode
Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.Rule Medium Severity -
Configure Firewalld to Restrict Loopback Traffic
Configure <code>firewalld</code> to restrict loopback traffic to the <code>lo</code> interface. The loopback traffic must be trusted by assigning the <code>lo</code> interface to the <code>firewal...Rule Medium Severity -
Configure Firewalld to Trust Loopback Traffic
Assign loopback interface to the <code>firewalld</code> <code>trusted</code> zone in order to explicitly allow the loopback traffic in the system. To configure <code>firewalld</c...Rule Medium Severity -
Verify Permissions and Ownership of Old Passwords File
To properly set the owner of <code>/etc/security/opasswd</code>, run the command: <pre>$ sudo chown root /etc/security/opasswd </pre> To properly set the group owner of <code>/etc/security/opasswd...Rule Medium Severity -
Verify Group Who Owns /etc/shells File
To properly set the group owner of/etc/shells, run the command:$ sudo chgrp root /etc/shells
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules