OS Hardening Checklist RHEL7
OS Hardening Checklist RHEL7
security.utexas.edu/os-hardening-checklist/linux-7
The hardening checklists are based on the comprehensive checklists produced by CIS.
The Information Security Office has distilled the CIS lists down to the most critical steps for
your systems, with a particular focus on configuration issues that are unique to the
computing environment at The University of Texas at Austin.
Print the checklist and check off each item you complete to ensure that you cover the critical
steps for securing your server. The Information Security Office uses this checklist during risk
assessments as part of the process to verify that servers are secure.
Step - The step number in the procedure. If there is a UT Note for this step, the note
number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Red Hat Enterprise Linux 7
Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each
step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step
for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with
the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and
some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum
Security Standards for Systems document.
Server Information
MAC Address
IP Address
Machine Name
Asset Tag
1/13
Administrator Name
Date
Server Information
Checklist
Preparation and
Installation
Filesystem Configuration
2/13
UT Cat Cat Min
Step √ To Do CIS Note I II/III Std
System Updates
Process Hardening
OS Hardening
3/13
UT Cat Cat Min
Step √ To Do CIS Note I II/III Std
4/13
UT Cat Cat Min
Step √ To Do CIS Note I II/III Std
Files/Directory
Permissions/Access
PAM Configuration
5/13
UT Cat Cat Min
Step √ To Do CIS Note I II/III Std
Warning Banners
Anti-Virus Considerations
Checklist
UT Note: Addendum
6/13
This list provides specific tasks related to the computing environment at The University of
Texas at Austin.
5 Since /tmp is intended to be world writable, creating a separate partition for it can
prevent resource exhaustion. Setting nodev prevents users from creating or using block
or special character devices. Setting noexec prevents users from running binary
executables from /tmp. Setting nosuid prevents users from creating set userid files in
/tmp.
To list all updates that are security relevant, and get a reutrn code on whether there are
security updates use:
13 Setting user/group ownership to root and file permissions to read and write only for root
is recommended to prevent non-root users from viewing or changing the boot
parameters.
15 A simple way to disable the GUI is to change the default run level. Edit the file
/etc/inittab. Look for the line that contains the following:
id:5:initdefault:
Replace the "5" with "3". The line will then read:
id:3:initdefault:
17 Core dumps are intended to help determine why a program aborted. They may contain
sensitive or confidential data from memory. It is recommended that core dumps be
disabled or restricted. The system should be configured to prevent setuid programs from
creating core dumps.
7/13
18 Add the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2
20 Disable any xinetd services you do not absolutely require by setting "disable=yes" in
/etc/xinetd.d/*.
or
Much more detailed information regarding services is available in the CIS benchmark
documents.
Red Hat also provides a text-based interface for changing startup services: ntsysv
8/13
25 RHEL7 comes with firewalld, however iptables may be installed and used instead. This
is documented at: https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
33 If you decide to utilize SSH, the ISO highly recommends the following:
Change the port from port 22 to something/anything else. There are scripts online
that malicious hackers can use against an SSH server. These scripts almost
always only attack port 22 since most people do not change the default port.
Use SSH2 (by setting Protocol 2 in the sshd_config file) as it remediates many
vulnerabilities from SSH1.
Restrict access to the SSH port using a hardware or software firewall.
If possible, use keys with passphrase instead of just passwords. To create rsa
keys, follow these commands:
ssh-keygen \--t rsa
The CIS Solaris Benchmark covers some suggested basic settings to place in the
configuration file.
You may also want to visit the SSL Web site.
34 INFO is a basic logging level that will capture user login and logout activity. Other
logging levels may be used, but may generate more noise. The DEBUG logging level is
not recommended for production servers.
35 Do not permit root logins via SSH. If root access over SSH is absolutely necessary,
require administrators to authenticate with an individual account first and then use su or
sudo. This is to prevent remote brute force attacks against the root user account as well
as to create an audit trail of administrative activity in the event of a compromise.
37 There is a license fee for Tripwire. The Tripwire management console can be very
helpful for managing more complex installations.
AIDE is a free tool available from SourceForge.
SamHain is another free tool, as is OSSEC HIDS.
9/13
38 Many resources exist for understanding and configuring SELinux:
http://www.selinuxproject.org/page/Main_Page
https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/
SELinux is enabled by default with RHEL systems and should not be disabled unless
absolutely necessary.
40 ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time
synchronization services for university network administrators.
41 Auditd monitors various system activity, such as system logins, authentications, account
modifications, and SELinux denials. These records may help administrators identify
malicious activity or unauthorized access.
44 It is highly recommended that logs are shipped from any Category I devices to a service
like Splunk, which provides log aggregation, processing, and real-time monitoring of
events among many other things. This helps to ensure that logs are preserved and
unaltered in the event of a compromise, in addition to allowing proactive log analysis of
multiple devices.
Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-
managed Splunk service that may be leveraged.
10/13
46 Ensure the following are set in /etc/pam.d/other:
11/13
48 To require strong passwords, in compliance with section 5.18 of the Information
Resources Use and Security Policy:
For RHEL 6:
For RHEL 7:
In /etc/security/pwquality.conf, add:
difok = 5
minlen = 8
minclass = 1
maxrepeat = 0
maxclassrepeat = 0
lcredit = -1
ucredit = 0
dcredit = -1
ocredit = -1
gecoscheck = 1
12/13
49 Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is
configured to deny privileged (root) access. On a Red Hat box, this means that no
virtual devices (such as /dev/pty*) appear in this file.
50 The text of the university's official warning banner can be found on the ITS Web site.
You may add localized information to the banner as long as the university banner is
included.
51 The text of the university's official warning banner can be found on the ITS Web site.
You may add localized information to the banner as long as the university banner is
included.
52 There are few viruses that infect Linux computers; therefore, it is understandable for
most Linux servers to have an exception to this rule. See the Operations Manual for
information on the exception process.
You may choose any proven anti-virus product. One option is ClamAV.
53 There are few viruses that infect Linux computers; therefore, it is understandable for
most Linux servers to have an exception to this rule. See the Operations Manual for
information on the exception process.
54 There are a variety of methods available to provide encrypted storage. Two good
candidates are LUKS and GNUPG (free).
UT Note: Addendum
13/13