C2S for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Verify /boot/grub2/grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pr...Rule Medium Severity -
Verify /boot/grub2/grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>,...Rule Medium Severity -
Set Boot Loader Password in grub2
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...Group -
Ensure rsyslog is Installed
Rsyslog is installed by default. Thersyslogpackage can be installed with the following command:$ sudo yum install rsyslog
Rule Medium Severity -
Enable rsyslog Service
The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7. The <code>rsyslog</code> service can be e...Rule Medium Severity -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of...Group -
Ensure System Log Files Have Correct Permissions
The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/message...Group -
Ensure Logrotate Runs Periodically
The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate....Rule Medium Severity -
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon t...Group -
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central l...Rule Unknown Severity -
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central l...Rule Unknown Severity -
Rsyslog Logs Sent To Remote Host
If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised...Group -
Ensure Logs Sent To Remote Host
To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,...Rule Medium Severity -
Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...Group -
IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...Group -
Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 ad...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.