Skip to content

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

Rules and Groups employed by this XCCDF Profile

  • Ensure that System Accounts Are Locked

    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be abl...
    Rule Medium Severity
  • Ensure that System Accounts Do Not Run a Shell Upon Login

    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to...
    Rule Medium Severity
  • Enforce Usage of pam_wheel with Group Parameter for su Authentication

    To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands wi...
    Rule Medium Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local i...
    Rule Medium Severity
  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i>...
    Rule Medium Severity
  • All Interactive Users Home Directories Must Exist

    Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...
    Rule Medium Severity
  • Ensure users' .netrc Files are not group or world accessible

    While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures ev...
    Rule Medium Severity
  • All Interactive User Home Directories Must Be Owned By The Primary User

    Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the fo...
    Rule Medium Severity
  • Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

    Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FI...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that No Dangerous Directories Exist in Root's Path

    The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-sep...
    Group
  • Ensure that Root's Path Does Not Include World or Group-Writable Directories

    For each element in root's path, run:
    # ls -ld DIR
    and ensure that write permissions are disabled for group and other.
    Rule Medium Severity
  • Ensure that Root's Path Does Not Include Relative Paths or Null Directories

    Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to re...
    Rule Unknown Severity
  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...
    Group
  • Ensure the Default Bash Umask is Set Correctly

    To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> ...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in login.defs

    To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in /etc/profile

    To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules