Guide to the Secure Configuration of Red Hat Enterprise Linux 7

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile ID(default)

Revision History

Current version: 0.1.31

  • draft (as of 2016-11-28)

Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode

Table of Contents

  1. 2.
    1. 2.1
    2. 2.2
    3. 2.3
    4. 2.4
    5. 2.5
    6. 2.6
  2. 3.
    1. 3.1
    2. 3.2
    3. 3.3
    4. 3.4
    5. 3.5
    6. 3.6
    7. 3.7
  3. 4.
    1. 4.1
    2. 4.2
    3. 4.3
  4. 5.
    1. 5.1
    2. 5.2
    3. 5.3
    4. 5.4
  5. 6.
    1. 6.1
    2. 6.2
    3. 6.3
    4. 6.4
    5. 6.5
    6. 6.6
    7. 6.7
  6. 7.
    1. 7.1
    2. 7.2
    3. 7.3
  7. 8.
    1. 8.1
    2. 8.2
    3. 8.3
    4. 8.4
    5. 8.5
    6. 8.6
    7. 8.7
    8. 8.8
  8. 10.
    1. 10.1
    2. 10.2
    3. 10.3
    4. 10.4
    5. 10.5
    6. 10.6
    7. 10.7
    8. 10.8
  9. 11.
    1. 11.1
    2. 11.2
    3. 11.3
    4. 11.4
    5. 11.5
    6. 11.6
  10. Values
  11. Non PCI-DSS

Checklist

2.group

Do not use vendor-supplied defaults for system passwords and other

2.1group

Always change vendor-supplied

2.1.1group

For wireless environments

2.1.1.agroup

Interview responsible personnel and examine

2.1.1.bgroup

Interview personnel and examine policies and

2.1.1.cgroup

Examine vendor documentation and login to

2.1.1.dgroup

Examine vendor documentation and observe

2.1.1.egroup

Examine vendor documentation and observe

2.1.agroup

Choose a sample of system components, and attempt

2.1.bgroup

For the sample of system components, verify that all

2.1.cgroup

Interview personnel and examine supporting

2.2group

Develop configuration standards for

2.2.1group

Implement only one primary

2.2.1.agroup

Select a sample of system components and

2.2.1.bgroup

If virtualization technologies are used, inspect the

2.2.2group

Enable only necessary services,

2.2.2.agroup

Select a sample of system components and

2.2.2.bgroup

Identify any enabled insecure services, daemons,

2.2.3group

Implement additional security

2.2.3.agroup

Inspect configuration settings to verify that security

2.2.4group

Configure system security

2.2.4.agroup

Interview system administrators and/or security

2.2.4.bgroup

Examine the system configuration standards to

2.2.4.cgroup

Select a sample of system components and

2.2.5group

Remove all unnecessary

2.2.5.agroup

Select a sample of system components and

2.2.5.bgroup

. Examine the documentation and security

2.2.5.cgroup

. Examine the documentation and security

2.2.agroup

2.2.bgroup

Examine policies and interview personnel to

2.2.cgroup

Examine policies and interview personnel to

2.2.dgroup

Verify that system configuration standards include the

2.3group

Encrypt all non-console

2.3.agroup

Observe an administrator log on to each system and

2.3.bgroup

Review services and parameter files on systems to

2.3.cgroup

Observe an administrator log on to each system to

2.3.dgroup

Examine vendor documentation and interview

2.4group

Maintain an inventory of system

2.4.agroup

Examine system inventory to verify that a list of

2.4.bgroup

Interview personnel to verify the documented inventory

2.5group

Ensure that security policies and

2.6group

Shared hosting providers must

3.group

Protect stored cardholder data

3.1group

Keep cardholder data storage to a

3.1.agroup

Examine the data retention and disposal policies,

3.1.bgroup

Interview personnel to verify that:

3.1.cgroup

For a sample of system components that store cardholder

3.2group

Do not store sensitive authentication

3.2.1group

Do not store the full contents of

3.2.2group

Do not store the card verification

3.2.3group

Do not store the personal

3.2.agroup

For issuers and/or companies that support issuing

3.2.bgroup

For issuers and/or companies that support issuing

3.2.cgroup

For all other entities, if sensitive authentication data is

3.2.dgroup

For all other entities, if sensitive authentication data is

3.3group

Mask PAN when displayed (the first

3.3.agroup

Examine written policies and procedures for masking the

3.3.bgroup

Examine system configurations to verify that full PAN is

3.3.cgroup

Examine displays of PAN (for example, on screen, on

3.4group

Render PAN unreadable anywhere it

3.4.1group

If disk encryption is used (rather

3.4.1.agroup

If disk encryption is used, inspect the configuration

3.4.1.bgroup

Observe processes and interview personnel to verify

3.4.1.cgroup

Examine the configurations and observe the

3.4.agroup

Examine documentation about the system used to protect

3.4.bgroup

Examine several tables or files from a sample of data

3.4.cgroup

Examine a sample of removable media (for example,

3.4.dgroup

Examine a sample of audit logs to confirm that the PAN is

3.4.egroup

If

3.5group

Document and implement

3.5.1group

Restrict access to cryptographic

3.5.2group

Store secret and private keys

3.5.2.agroup

Examine documented procedures to verify that

3.5.2.bgroup

Examine system configurations and key storage

3.5.2.cgroup

Wherever key-encrypting keys are used, examine

3.5.3group

Store cryptographic keys in the

3.6group

Fully document and implement all

3.6.1group

Generation of strong

3.6.1.agroup

Verify that key-management procedures specify how

3.6.1.bgroup

Observe the method for generating keys to verify that

3.6.2group

Secure cryptographic key

3.6.2.agroup

Verify that key-management procedures specify how

3.6.2.bgroup

Observe the method for distributing keys to verify that

3.6.3group

Secure cryptographic key storage

3.6.3.agroup

Verify that key-management procedures specify how

3.6.3.bgroup

Observe the method for storing keys to verify that

3.6.4group

Cryptographic key changes for

3.6.4.agroup

Verify that key-management procedures include a

3.6.4.bgroup

Interview personnel to verify that keys are changed at

3.6.5group

Retirement or replacement (for

3.6.5.agroup

Verify that key-management procedures specify

3.6.5.bgroup

Interview personnel to verify the following processes

3.6.6group

If manual clear-text cryptographic

3.6.6.agroup

Verify that manual clear-text key-management

3.6.7group

Prevention of unauthorized

3.6.7.agroup

Verify that key-management procedures specify

3.6.7.bgroup

Interview personnel and/or observe processes to

3.6.8group

Requirement for cryptographic

3.6.8.agroup

Verify that key-management procedures specify

3.6.8.bgroup

Observe documentation or other evidence showing

3.6.bgroup

Examine the key-management procedures and processes

3.7group

Ensure that security policies and

4.group

Encrypt transmission of cardholder data across open, public networks

4.1group

Use strong cryptography and security

4.1.1group

Ensure wireless networks transmitting

4.1.agroup

Identify all locations where cardholder data is

4.1.bgroup

Review documented policies and procedures to verify

4.1.cgroup

Select and observe a sample of inbound and outbound

4.1.dgroup

Examine keys and certificates to verify that only

4.1.egroup

Examine system configurations to verify that the

4.1.fgroup

Examine system configurations to verify that the proper

4.1.ggroup

For TLS implementations, examine system

4.2group

Never send unprotected PANs by end-

4.2.agroup

If end-user messaging technologies are used to send

4.2.bgroup

Review written policies to verify the existence of a

4.3group

Ensure that security policies and

5.group

Protect all systems against malware and regularly update anti-virus

5.1group

Deploy anti-virus software on all

5.1.1group

Ensure that anti-virus programs

5.1.2group

For systems considered to be not

5.2group

Ensure that all anti-virus mechanisms

5.2.agroup

Examine policies and procedures to verify that anti-virus

5.2.bgroup

Examine anti-virus configurations, including the master

5.2.cgroup

Examine a sample of system components, including all

5.2.dgroup

Examine anti-virus configurations, including the master

5.3group

Ensure that anti-virus mechanisms

5.3.agroup

Examine anti-virus configurations, including the master

5.3.bgroup

Examine anti-virus configurations, including the master

5.3.cgroup

Interview responsible personnel and observe processes to

5.4group

Ensure that security policies and

6.group

Develop and maintain secure systems and applications

6.1group

Establish a process to identify security

6.1.agroup

Examine policies and procedures to verify that

6.1.bgroup

Interview responsible personnel and observe

6.2group

Ensure that all system components and

6.2.agroup

Examine policies and procedures related to security-

6.2.bgroup

For a sample of system components and related

6.3group

Develop internal and external software

6.3.1group

Remove development, test and/or

6.3.2group

Review custom code prior to release

6.3.2.agroup

Examine written software-development procedures

6.3.2.bgroup

Select a sample of recent custom application

6.3.agroup

Examine written software-development processes to

6.3.bgroup

Examine written software-development processes to

6.3.cgroup

Examine written software-development processes to

6.3.dgroup

Interview software developers to verify that written

6.4group

Follow change control processes and

6.4.1group

Separate development/test

6.4.1.agroup

Examine network documentation and network

6.4.1.bgroup

Examine access controls settings to verify that

6.4.2group

Separation of duties between

6.4.3group

Production data (live PANs) are not

6.4.3.agroup

Observe testing processes and interview

6.4.3.bgroup

Examine a sample of test data to verify production

6.4.4group

Removal of test data and accounts

6.4.4.agroup

Observe testing processes and interview

6.4.4.bgroup

Examine a sample of data and accounts from

6.4.5group

Change control procedures for the

6.4.5.agroup

Examine documented change control procedures

6.4.5.bgroup

For a sample of system components, interview

6.5group

Address common coding vulnerabilities in

6.5.1group

Injection flaws, particularly SQL

6.5.10group

Broken authentication and session

6.5.2group

Buffer overflows

6.5.3group

Insecure cryptographic storage

6.5.4group

Insecure communications

6.5.5group

Improper error handling

6.5.6group

Examine software-development policies and

6.5.7group

Cross-site scripting (XSS)

6.5.8group

Improper access control (such as

6.5.9group

Cross-site request forgery (CSRF)

6.5.agroup

Examine software-development policies and

6.5.bgroup

Interview a sample of developers to verify that they are

6.5.cgroup

Examine records of training to verify that software

6.6group

For public-facing web applications,

6.7group

Ensure that security policies and

7.group

Restrict access to cardholder data by business need to know

7.1group

Limit access to system

7.1.1group

Define access needs for

7.1.2group

Restrict access to privileged

7.1.2.agroup

Interview personnel responsible for assigning access to

7.1.2.bgroup

Select a sample of user IDs with privileged access and

7.1.3group

Assign access based on

7.1.4group

Require documented

7.2group

Establish an access control

7.2.1group

Coverage of all system

7.2.2group

Assignment of privileges to

7.2.3group

7.3group

Ensure that security policies and

8.group

Identify and authenticate access to system components

8.1group

Define and implement policies and

8.1.1group

Assign all users a unique ID

8.1.2group

Control addition, deletion, and

8.1.3group

Immediately revoke access for

8.1.3.agroup

Select a sample of users terminated in the past six

8.1.3.bgroup

Verify all physical authentication methods

8.1.4group

Remove/disable inactive user

8.1.5group

Manage IDs used by vendors to

8.1.5.agroup

Interview personnel and observe processes for

8.1.5.bgroup

Interview personnel and observe processes to verify

8.1.6group

Limit repeated access attempts

8.1.6.agroup

For a sample of system components, inspect system

8.1.6.bgroup

8.1.7group

Set the lockout duration to a

8.1.8group

If a session has been idle for

8.1.agroup

Review procedures and confirm they define processes for

8.1.bgroup

Verify that procedures are implemented for user

8.2group

In addition to assigning a unique ID,

8.2.1group

Using strong cryptography,

8.2.1.agroup

Examine vendor documentation and system

8.2.1.bgroup

For a sample of system components, examine

8.2.1.cgroup

For a sample of system components, examine data

8.2.1.dgroup

8.2.2group

Verify user identity before

8.2.3group

Passwords/phrases must meet

8.2.3.agroup

For a sample of system components, inspect system

8.2.3.bgroup

8.2.4group

Change user

8.2.4.agroup

For a sample of system components, inspect system

8.2.4.bgroup

8.2.5group

Do not allow an individual to

8.2.5.agroup

For a sample of system components, obtain and

8.2.5.bgroup

8.2.6group

Set passwords/phrases for first-

8.3group

Incorporate two-factor authentication

8.3.agroup

Examine system configurations for remote access servers

8.3.bgroup

Observe a sample of personnel (for example, users and

8.4group

Document and communicate

8.4.agroup

Examine

8.4.bgroup

Review authentication policies and procedures that are

8.4.cgroup

Interview a sample of users to verify that they are familiar

8.5group

Do not use group, shared, or generic

8.5.1group

8.5.agroup

For a sample of system components, examine user ID lists

8.5.bgroup

Examine authentication policies and procedures to verify

8.5.cgroup

Interview system administrators to verify that group and

8.6group

Where other authentication

8.6.agroup

Examine authentication policies and procedures to verify

8.6.bgroup

Interview security personnel to verify authentication

8.6.cgroup

Examine system configuration settings and/or physical

8.7group

All access to any database

8.7.agroup

Review database and application configuration settings

8.7.bgroup

Examine database and application configuration settings to

8.7.cgroup

Examine database access control settings and database

8.7.dgroup

Examine database access control settings, database

8.8group

Ensure that security policies and

10.group

Track and monitor all access to network resources and cardholder data

10.1group

Implement audit trails to link all

10.2group

Implement automated audit trails for

10.2.1group

All individual user accesses to

10.2.2group

All actions taken by any

10.2.3group

Access to all audit trails

10.2.4group

Invalid logical access attempts

10.2.5group

Use of and changes to

10.2.5.agroup

Verify use of identification and authentication

10.2.5.bgroup

Verify all elevation of privileges is logged.

10.2.5.cgroup

Verify all changes, additions, or deletions to any account

10.2.6group

Initialization, stopping, or

10.2.7group

Creation and deletion of system-

10.3group

Record at least the following audit

10.3.1group

User identification

10.3.2group

Type of event

10.3.3group

Date and time

10.3.4group

Success or failure indication

10.3.5group

Origination of event

10.3.6group

Identity or name of affected

10.4group

Using time-synchronization

10.4.1group

Critical systems have the

10.4.1.agroup

Examine the process for acquiring, distributing and

10.4.1.bgroup

Observe the time-related system-parameter settings for

10.4.2group

Time data is protected.

10.4.2.agroup

Examine system configurations and time-

10.4.2.bgroup

Examine system configurations, time synchronization

10.4.3group

Time settings are received from

10.5group

Secure audit trails so they cannot

10.5.1group

Limit viewing of audit trails to

10.5.2group

Protect audit trail files from

10.5.3group

Promptly back up audit trail files

10.5.4group

Write logs for external-facing

10.5.5group

Use file-integrity monitoring or

10.6group

Review logs and security events for

10.6.1group

Review the following at least

10.6.1.agroup

Examine security policies and procedures to verify that

10.6.1.bgroup

Observe processes and interview personnel to verify

10.6.2group

Review logs of all other system

10.6.2.agroup

Examine security policies and procedures to verify that

10.6.2.bgroup

10.6.3group

Follow up exceptions and

10.6.3.agroup

Examine security policies and procedures to verify that

10.6.3.bgroup

Observe processes and interview personnel to verify

10.7group

Retain audit trail history for at least

10.7.agroup

Examine security policies and procedures to verify that they

10.7.bgroup

Interview personnel and examine audit logs to verify that

10.7.cgroup

Interview personnel and observe processes to verify that at

10.8group

Ensure that security policies and

11.group

Regularly test security systems and processes

11.1group

Implement processes to test for the

11.1.1group

Maintain an inventory of

11.1.2group

Implement incident response

11.1.2.agroup

11.1.2.bgroup

Interview responsible personnel and/or inspect

11.1.agroup

Examine policies and procedures to verify processes

11.1.bgroup

Verify that the methodology is adequate to detect and

11.1.cgroup

If wireless scanning is utilized, examine output from

11.1.dgroup

If automated monitoring is utilized (for example,

11.2group

Run internal and external network

11.2.1group

Perform quarterly internal

11.2.1.agroup

Review the scan reports and verify that four

11.2.1.bgroup

Review the scan reports and verify that the scan

11.2.2group

Perform quarterly external

11.2.2.cgroup

Review the scan reports to verify that the scans

11.2.3group

Perform internal and external

11.2.3.agroup

Inspect and correlate change control

11.2.3.bgroup

Review scan reports and verify that the scan

11.2.3.cgroup

Validate that the scan was performed by a qualified

11.3group

Implement a methodology for

11.3.1group

Perform

11.3.1.agroup

Examine the scope of work and results from the

11.3.1.bgroup

Verify that the test was performed by a qualified

11.3.2group

Perform

11.3.2.agroup

Examine the scope of work and results from the

11.3.2.bgroup

Verify that the test was performed by a qualified

11.3.3group

Exploitable vulnerabilities found

11.3.4group

If segmentation is used to isolate

11.3.4.agroup

Examine segmentation controls and review

11.3.4.bgroup

Examine the results from the most recent

11.4group

Use intrusion-detection and/or

11.4.agroup

Examine system configurations and network diagrams

11.4.bgroup

Examine system configurations and interview

11.4.cgroup

Examine IDS/IPS configurations and vendor

11.5group

Deploy a change-detection

11.5.1group

Implement a process to respond to

11.5.agroup

Verify the use of a change-detection mechanism within

11.5.bgroup

Verify the mechanism is configured to alert personnel

11.6group

Ensure that security policies and

Valuesgroup

Group of values used in PCI-DSS profile

Non PCI-DSSgroup

Rules that are not part of PCI-DSS

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.