Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R9. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetlocalhost.localdomain
Target IDpodman-image://8c87a428f829084c0fb6ab9ce0d9ce58a6455f77c42afa3bce5b0ceb8250acd3 [registry.twistlock.com/twistlock/console:console_30_03_122]
Benchmark URL./scap-security-guide-0.1.68/ssg-rhel8-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version0.1.68
Profile IDxccdf_org.ssgproject.content_profile_stig
Started at2023-07-16T07:38:39+00:00
Finished at2023-07-16T07:38:45+00:00
Performed by unknown user
Test systemcpe:/a:redhat:openscap:1.3.7

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.10
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.9

Addresses

    Compliance and Scoring

    The target system did not satisfy the conditions of 13 rules! Please review rule results and consider applying remediation.

    Rule results

    1323 passed
    13 failed
    4 other

    Severity of failed rules

    0 other
    1 low
    10 medium
    2 high

    Score

    Scoring systemScoreMaximumPercent
    urn:xccdf:scoring:default79.012787100.000000
    79.01%

    Rule Overview

    Group rules by:
    TitleSeverityResult
     Guide to the Secure Configuration of Red Hat Enterprise Linux 8 13x fail 4x notchecked
     System Settings 13x fail 4x notchecked
     Installing and Maintaining Software 8x fail
     System and Software Integrity 6x fail
     System Cryptographic Policies 6x fail
    Configure BIND to use System Crypto Policyhigh
    pass
    Configure System Cryptography Policyhigh
    fail
    Configure GnuTLS library to use DoD-approved TLS Encryptionmedium
    fail
    Configure Kerberos to use System Crypto Policyhigh
    pass
    Configure Libreswan to use System Crypto Policyhigh
    pass
    Configure OpenSSL library to use System Crypto Policymedium
    pass
    Configure OpenSSL library to use TLS Encryptionmedium
    pass
    Configure SSH to use System Crypto Policymedium
    pass
    Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.confighigh
    fail
    Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configmedium
    fail
    Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.configmedium
    fail
    Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.configmedium
    fail
     Sudo 1x fail
    Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
    pass
    Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
    pass
    Require Re-Authentication When Using the sudo Commandmedium
    notapplicable
    The operating system must restrict privilege elevation to authorized personnelmedium
    notapplicable
    Ensure sudo only includes the default configuration directorymedium
    pass
    Ensure invoking users password for privilege escalation when using sudomedium
    fail
     System Tooling / Utilities 1x fail
    Install rng-tools Packagelow
    fail
    Uninstall abrt-addon-ccpp Packagelow
    pass
    Uninstall abrt-addon-kerneloops Packagelow
    pass
    Uninstall abrt-cli Packagelow
    pass
    Uninstall abrt-plugin-sosreport Packagelow
    pass
    Uninstall gssproxy Packagemedium
    pass
    Uninstall iprutils Packagemedium
    pass
    Uninstall krb5-workstation Packagemedium
    notapplicable
    Uninstall libreport-plugin-logger Packagelow
    pass
    Uninstall libreport-plugin-rhtsupport Packagelow
    pass
    Uninstall python3-abrt-addon Packagelow
    pass
    Uninstall tuned Packagemedium
    pass
     Account and Access Control 4x fail 4x notchecked
     Protect Accounts by Configuring PAM 1x fail
     Set Lockouts for Failed Password Attempts 1x fail
    Limit Password Reuse: password-authmedium
    notapplicable
    Limit Password Reuse: system-authmedium
    notapplicable
    Account Lockouts Must Be Loggedmedium
    fail
    Lock Accounts After Failed Password Attemptsmedium
    notapplicable
    Configure the root Account for Failed Password Attemptsmedium
    notapplicable
    Lock Accounts Must Persistmedium
    notapplicable
    Set Interval For Counting Failed Password Attemptsmedium
    notapplicable
    Do Not Show System Messages When Unsuccessful Logon Attempts Occurmedium
    notapplicable
    Set Lockout Time for Failed Password Attemptsmedium
    notapplicable
     Protect Accounts by Restricting Password-Based Login 1x fail 2x notchecked
    Only Authorized Local User Accounts Exist on Operating Systemmedium
    fail
     Secure Session Configuration Files for Login Accounts 1x fail 2x notchecked
    Ensure the Logon Failure Delay is Set Correctly in login.defsmedium
    notapplicable
    User Initialization Files Must Not Run World-Writable Programsmedium
    pass
    Ensure that Users Path Contains Only Local Directoriesmedium
    notchecked
    All Interactive Users Must Have A Home Directory Definedmedium
    pass
    All Interactive Users Home Directories Must Existmedium
    fail
    All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Groupmedium
    pass
    All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissivemedium
    pass
    All Interactive User Home Directories Must Be Group-Owned By The Primary Groupmedium
    pass
    Ensure All User Initialization Files Have Mode 0740 Or Less Permissivemedium
    notchecked
    All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
    pass
    Enable authselectmedium
    fail
     Network Configuration and Firewalls 1x fail
    Configure Multiple DNS Servers in /etc/resolv.confmedium
    fail
    Ensure System is Not Acting as a Network Sniffermedium
    notapplicable
    Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.