Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
This is a *draft* profile for PCI-DSS v3

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7 formatted in the eXtensible Configuration Checklist Description Format (XCCDF).

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7 is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Target machineqeos-3.lab.eng.rdu2.redhat.com
Benchmark URL/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss
Started at2016-02-22T01:58:33
Finished at2016-02-22T01:58:42
Performed byroot

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::client

Addresses

  • IPv4  127.0.0.1
  • IPv4  172.16.36.3
  • IPv4  10.8.48.149
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:f816:3eff:febf:5576
  • MAC  00:00:00:00:00:00
  • MAC  FA:16:3E:BF:55:76

Compliance and Scoring

The target system did not satisfy the conditions of 52 rules! Please review rule results and consider applying remediation.

Rule results

22 passed
52 failed
1 other

Severity of failed rules

0 other
35 low
13 medium
4 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default24.890619100.000000
24.89%

Rule Overview

Group rules by:
TitleSeverityResult
 Guide to the Secure Configuration of Red Hat Enterprise Linux 7 52x fail 1x notchecked
 System Settings 50x fail 1x notchecked
 Installing and Maintaining Software 6x fail 1x notchecked
 Updating Software 3x fail 1x notchecked
Ensure Red Hat GPG Key Installedhigh
fail
Ensure gpgcheck Enabled In Main Yum Configurationhigh
fail
Ensure gpgcheck Enabled For All Yum Package Repositorieshigh
fail
Ensure Software Patches Installedhigh
notchecked
 Software Integrity Checking 3x fail
 Verify Integrity with AIDE 2x fail
Install AIDEmedium
fail
Build and Test AIDE Databasemedium
notselected
Configure Periodic Execution of AIDEmedium
fail
 Verify Integrity with RPM 1x fail
Verify and Correct File Permissions with RPMlow
notselected
Verify File Hashes with RPMlow
fail
 Account and Access Control 12x fail
 Protect Accounts by Restricting Password-Based Login 3x fail
 Verify Proper Storage and Existence of Password Hashes 1x fail
Prevent Log In to Accounts With Empty Passwordhigh
fail
Verify All Account Password Hashes are Shadowedmedium
pass
All GIDs referenced in /etc/passwd must be defined in /etc/grouplow
notselected
Verify No netrc Files Existmedium
notselected
 Set Password Expiration Parameters 1x fail
Set Password Maximum Agemedium
fail
Set Account Expiration Following Inactivitylow
fail
 Protect Accounts by Configuring PAM 9x fail
 Set Password Quality Requirements 4x fail
 Set Password Quality Requirements with pam_pwquality 4x fail
Set Password Retry Prompts Permitted Per-Sessionlow
notselected
Set Password to Maximum of Three Consecutive Repeating Characterslow
notselected
Set Password Strength Minimum Digit Characterslow
fail
Set Password Minimum Lengthlow
fail
Set Password Strength Minimum Uppercase Characterslow
fail
Set Password Strength Minimum Special Characterslow
notselected
Set Password Strength Minimum Lowercase Characterslow
fail
Set Password Strength Minimum Different Characterslow
notselected
Set Password Strength Minimum Different Categorieslow
notselected
 Set Lockouts for Failed Password Attempts 2x fail
Set Deny For Failed Password Attemptsmedium
fail
Set Lockout Time For Failed Password Attemptsmedium
fail
Set Interval For Counting Failed Password Attemptsmedium
notselected
Limit Password Reusemedium
notselected
 Set Password Hashing Algorithm 3x fail
Set Password Hashing Algorithm in /etc/pam.d/system-authmedium
fail
Set Password Hashing Algorithm in /etc/login.defsmedium
fail
Set Password Hashing Algorithm in /etc/libuser.confmedium
fail
 Network Configuration and Firewalls 1x fail
 IPSec Support 1x fail
Install libreswan Packagelow
fail
Disable Zeroconf Networkinglow
notselected
Ensure System is Not Acting as a Network Snifferlow
notselected
 System Accounting with auditd 31x fail
 Configure auditd Data Retention 3x fail
Configure auditd Number of Logs Retainedmedium
pass
Configure auditd Max Log File Sizemedium
pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
fail
Configure auditd admin_space_left Action on Low Disk Spacemedium
fail
Configure auditd mail_acct Action on Low Disk Spacemedium
pass
Configure auditd flush prioritylow
notselected
Configure auditd to use audispd's syslog pluginmedium
fail
 Configure auditd Rules for Comprehensive Auditing 27x fail
 Records Events that Modify Date and Time Information 5x fail
Record attempts to alter time through adjtimexlow
fail
Record attempts to alter time through settimeofdaylow
fail
Record Attempts to Alter Time Through stimelow
fail
Record Attempts to Alter Time Through clock_settimelow
fail
Record Attempts to Alter the localtime Filelow
fail
 Record Events that Modify the System's Discretionary Access Controls 13x fail
Record Events that Modify the System's Discretionary Access Controls - chmodlow
fail
Record Events that Modify the System's Discretionary Access Controls - chownlow
fail
Record Events that Modify the System's Discretionary Access Controls - fchmodlow
fail
Record Events that Modify the System's Discretionary Access Controls - fchmodatlow
fail
Record Events that Modify the System's Discretionary Access Controls - fchownlow
fail
Record Events that Modify the System's Discretionary Access Controls - fchownatlow
fail
Record Events that Modify the System's Discretionary Access Controls - fremovexattrlow
fail
Record Events that Modify the System's Discretionary Access Controls - fsetxattrlow
fail
Record Events that Modify the System's Discretionary Access Controls - lchownlow
fail
Record Events that Modify the System's Discretionary Access Controls - lremovexattrlow
fail
Record Events that Modify the System's Discretionary Access Controls - lsetxattrlow
fail
Record Events that Modify the System's Discretionary Access Controls - removexattrlow
fail
Record Events that Modify the System's Discretionary Access Controls - setxattrlow
fail
Record Events that Modify User/Group Informationlow
fail
Record Events that Modify the System's Network Environmentlow
fail
System Audit Logs Must Have Mode 0640 or Less Permissivelow
pass
System Audit Logs Must Be Owned By Rootlow
pass
Record Events that Modify the System's Mandatory Access Controlslow
fail
Record Attempts to Alter Process and Session Initiation Informationlow
fail
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)low
fail
Ensure auditd Collects Information on the Use of Privileged Commandslow
notselected
Ensure auditd Collects Information on Exporting to Media (successful)low
fail
Ensure auditd Collects File Deletion Events by Userlow
fail
Ensure auditd Collects System Administrator Actionslow
fail
Ensure auditd Collects Information on Kernel Module Loading and Unloadinglow
fail
Make the auditd Configuration Immutablelow
notselected
Enable auditd Servicemedium
pass
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
fail
 Services 2x fail
 SSH Server 1x fail
 Configure OpenSSH Server if Necessary 1x fail
Allow Only SSH Protocol 2high
notselected
Limit Users' SSH Accesslow
notselected
Set SSH Idle Timeout Intervallow
fail
Set SSH Client Alive Countlow
notselected
Disable SSH Support for .rhosts Filesmedium
notselected
Disable Host-Based Authenticationmedium
notselected
Disable SSH Access via Empty Passwordshigh
notselected
Enable SSH Warning Bannermedium
notselected
Do Not Allow SSH Environment Optionslow
notselected
Use Only Approved Ciphersmedium
notselected
Use Only Approved MACslow
notselected
Disable SSH Server If Possible (Unusual)low
notselected
Remove SSH Server firewalld Firewall exception (Unusual)low
notselected
 Network Time Protocol 1x fail
Enable the NTP Daemonmedium
fail
Specify a Remote NTP Servermedium
notselected
Specify Additional Remote NTP Serverslow
notselected
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.