Security Hardening

Latest response

Hello

I am asked to apply the following on a server that connects to the internet, but could not find relevant information on RHEL 7.4

yum-utils Package-cleanup-leaves
to remove unused packages without affecting the packages dependencies

disable FTP,Telnet, Rlogin/RSH, ipchains, portmap, nfslock, netfs, autofs, apmd, isdn, pppoe, Sendmail, Gpm, anacron, and X windows
Disable .rhosts Files

Locking User Accounts after 5 Login Failures
Lock all accounts with empty password
Disable root account
Non-Root Accounts do not have UID set to 0

Only Use SSH Protocol 2
Configure Idle Log Out Timeout Interval [ClientAliveInterval 300 ClientAliveCountMax 0]
Disable .rhosts Files
Turn off IP forwarding

Disallow source routing
The server should not accept the source routed packets to prevent unauthorized traffic redirection. Ensure that routed is not installed

TE
Log in to join the conversation

Responses

R. Hinton.'s picture Guru 10133 points
29 January 2018 1:41 PM

Good Day to you Tamer,

Were you looking for guidance on how to implement those directives? If so I (or someone) can provide some info on this at a later time perhaps tomorrow or later this week. I have the info available, it will just take a little to arrange it here in a sensible way. (Update, see link below)

One question, request clarification where you mentioned “disable root account” because I’m not clear if you wish to have sudo only, or make it so that you simply can’t ssh to the root account (recommend disabling ssh to root), or perhaps you meant something else for “disable root account”.

EDITED/ADDED: Please check out this link https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html by Shawn Wells of Red Hat. This link comprises many security controls, and the methods to implement many of which you cited above.

Another thing, you can do a systmectl disable autofs or systemctl mask autofs for services such as autos you do not wish to have running. As far as x-windows, you can simply not install a graphical interface. You have to go a little out of your way to do a “Server with GUI” install for RHEL 7 Server. Please examine the link I provided by Shawn Wells. Additionally, examine the Red Hat Discussion area for other security related topics such as this one https://access.redhat.com/discussions/1295753 and this one https://access.redhat.com/discussions/2899931.

Kind Regards, -RJ

Thomas Jones's picture Guru Community Member 3711 points
30 January 2018 12:40 AM

A lot of these can be taken care of by using the oscap utility (and either not installing or uninstalling the services your guide says to disable). Much of what you have are in the standard profiles that ship with oscap. Also, you get a nice little report after you run a remediation so you can show your degree of compliance to whoever is requesting the hardenings.

R. Hinton.'s picture Guru 10133 points
30 January 2018 4:22 AM

To add on to the good point Thomas Jones mentioned here is the link https://www.open-scap.org/getting-started/ to getting started with SCAP.

TE Community Member 73 points
1 February 2018 6:13 AM

Thanks all, much appreciated. I googled a lot and never knew about oscap.

Many Thanks.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.