Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Description
Notices
Selected profile
Title | Standard System Security Profile |
---|---|
ID | xccdf_org.ssgproject.content_profile_standard |
Revision History
Current version: 0.9
- draft (as of 2015-09-28)
Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::client
Checklist
contains 4 rules |
System Settingsgroup |
contains 4 rules |
Installing and Maintaining SoftwaregroupThe following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. |
contains 1 rule |
Updating SoftwaregroupThe |
contains 1 rule |
Ensure Software Patches InstalledruleIf the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
identifiers: CCE-26853-2 references: SI-2, MA-1(b), http://iase.disa.mil/stigs/cci/Pages/index.aspx, Test attestation on 20120928 by MM |
File Permissions and MasksgroupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
|
contains 2 rules |
Verify Permissions on Important Files and DirectoriesgroupPermissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. |
contains 2 rules |
Ensure All SGID Executables Are AuthorizedruleThe SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. identifiers: CCE-RHEL7-CCE-TBD references: AC-6(1) |
Ensure All SUID Executables Are AuthorizedruleThe SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. identifiers: CCE-RHEL7-CCE-TBD references: AC-6(1) |
Account and Access ControlgroupIn traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under Red Hat Enterprise Linux 7. |
contains 1 rule |
Protect Accounts by Restricting Password-Based LogingroupConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the |
contains 1 rule |
Verify Proper Storage and Existence of Password Hashesgroup
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
|
contains 1 rule |
Verify All Account Password Hashes are Shadowedrule
If any password hashes are stored in identifiers: CCE-27144-5 references: IA-5(h), http://iase.disa.mil/stigs/cci/Pages/index.aspx, Test attestation on 20121024 by DS |