The Security Practices tests also known as cloud/security confirm that the image follows a minimum set of standard security practices. They also confirm (but do not require at this time) that the latest Red Hat security updates are installed.

The cloud/security test includes the following subtests:

Confirms the user password configuration is either certificates or SHA-512 for RHEL 6 & 7. This ensures that the image follows standard encryption/decryption mechanisms for optimal security.

Confirms that all important and critical security errata released against Red Hat packages that are included in the image are installed. Red Hat encourages partners to update and recertify their images whenever an errata is released. This test displays status (REVIEW) at runtime as it requires review at Red Hat to confirm success or failure. For more information on Red Hat security ratings, refer to https://access.redhat.com/security/updates/classification.

Confirms that SELinux is running in enforcing mode on the image (preferred) or is running in permissive mode. Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux.

SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion reducing vulnerability to privilege escalation attacks helping limit the damage made by configuration mistakes. If a process becomes compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to.

For more information on SELinux in RHEL, refer: