Monday , 19 August 2019
Breaking News

Red Hat Enterprise Linux 7 Hardening Checklist

Red Hat Enterprise Linux 7 Hardening Checklist

 Preparation and Physical Security
1 If machine is a new install, protect it from hostile network traffic until the operating system is installed and hardened.
2 Set a BIOS/firmware password.
3 Configure the device boot order to prevent unauthorized booting from alternate media.
4 Use the latest version of RHEL possible.
  Filesystem Configuration
5 Create a separate partition with the nodev, nosuid, and noexec options set for /tmp.
6 Create separate partitions for /var, /var/log, /var/log/audit, and /home.
7 Bind mount /var/tmp to /tmp.
8 Set nodev option to /home.
9 Set nodev, nosuid, and noexec options on /dev/shm.
10 Set sticky bit on all world-writable directories.
  System Updates
11 Register with Red Hat Satellite Server so that the system can receive patch updates.
12 Install the Red Hat GPG key and enable gpgcheck.
  Secure Boot Settings
13 Set user/group owner to root, and permissions to read and write for root only, on /boot/grub2/grub.cfg.
14 Set boot loader password.
15 Remove the X Window system.
16 Disable X Font Server.
  Process Hardening
17 Restrict core dumps.
18 Enable Randomized Virtual Memory Region Placement.
  OS Hardening
19 Remove legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server)
20 Disable any services and applications started by xinetd or inetd that are not being utilized.
21 Remove xinetd, if possible.
22 Disable legacy services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server)
23 Disable or remove server services that are not going to be utilized (e.g., FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.)
24 Set Daemon umask
  Network Security and Firewall Configuration
25 Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies.
26 Disable IP forwarding.
27 Disable send packet redirects.
28 Disable source routed packet acceptance.
29 Disable ICMP redirect acceptance.
30 Enable Ignore Broadcast Requests.
31 Enable Bad Error Message Protection.
32 Enable TCP/SYN cookies.
  Remote Administration via SSH
33 Set SSH protocol to 2.
34 Set SSH LogLevel to INFO.
35 Disable SSH Root login.
36 Set SSH PermitEmptyPasswords to No.
  System Integrity and Intrusion Detection
37 Install and configure AIDE.
38 Configure SELinux.
39 Install and configure OSSec HIDS.
40 Configure Network Time Protocol (NTP).
41 Enable system accounting (auditd).
42 Install and configure rsyslog.
43 All administrator or root access must be logged.
44 Configure log shipping to separate device/service (e.g. Splunk).
  Files/Directory Permissions/Access
45 Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
  PAM Configuration
46 Ensure that the configuration files for PAM, /etc/pam.d/* are secure.
47 Upgrade password hashing algorithm to SHA-512.
48 Set password creation requirements.
49 Restrict root login to system console.
  Warning Banners
50 If network or physical access services are running, ensure the university warning banner is displayed.
51 If the system allows logins via a graphical user interface, ensure the university warning banner is displayed prior to login.

Check Also

Linux PXE boot process-1

Linux PXE boot process-(Part-1)   PXE works with Network Interface Card (NIC) …

Leave a Reply