NU 1326 1.1 RHEL7 Descriptions and Values

NATO UNCLASSIFIED
Cyber Security
Service Line
(CS SL)
March 2017
Security Settings for

Red Hat Enterprise Linux 7
Descriptions and Values v1.1
CS SL guide for Securing RHEL7 servers used in NATO networks
Originator:
Capability Development/Engineering and Transition
Cyber Security Service Line
NCN 254-2083 or 6892
Civil +32 (0)65-44-2083 or 6892
CS SL/CAP DEV, as part of its continual improvement process, welcomes comments on this
document. Comments can be emailed to securitysettings@ncirc.nato.int
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Cyber Security Service Line RHEL 7 Security Settings
Version History
Cyber Security Service Line (CS SL) will maintain this document to include further amendments
due either to changes in the RHEL software (i.e. new features, patches, releases, etc.) or
developments within the NATO CIS for which this document is applicable.
Version Date Notes

1.0 Dec. 2015 [JCG] First Version, based on RHEL 6.x guide
1.0.1 Dec. 2015 [JCG] Corrected a few typos and wrong explanations (no
modification on the scripts)
1.1 Mar. 2017 [SR] Bug fixes, new settings to cover kptr pointers and ipv6
router advertisement.
Author JC Gallard
Review Slawomir Roginski
NATO UNCLASSIFIED
V 1.0.1 December 2015
-2-
NATO UNCLASSIFIED
References
A. AC/35-D/2005- REV2, INFOSEC Management Directive for CIS, 18 October 2010
B. C-M(2002)49, NATO Security Policy, 17 June 2002.
C. AD 70-1, ACO Security Directive, January 2009.
D. AC/322-D/0048-REV2, INFOSEC Technical and Implementation Directive for Computer

and Local Area Network (LAN) Security, 09 December 2011 (NR).
E. AC/322-D/0030-REV5, INFOSEC Technical and Implementation Directive for the

Interconnection of Communication and Information Systems(CIS), 23 February 2011.
F. SHAPE CCP: 047/03 – “Change to NATO CONFIDENTIAL (NC) and NATO SECRET (NS)
ACE CISs Baselines User Password Parameters”
G. Guide to the Secure Configuration of RHEL6, National Security Agency (NSA),

http://www.nsa.gov.
H. Security Configuration Benchmark for RHEL 7, The Center for Internet Security,
http://cisecurity.org
I. CS SL guide for Securing RHEL7 servers used in NATO networks, version 1.1, Mar. 2017
J. Red Hat Enterprise Linux 7 Security Guide – Red Hat 2015
NATO UNCLASSIFIED
-3-
NATO UNCLASSIFIED
Acronyms
AFPL Approved Fielded Products List
ASCII American Standard Code for Information Exchange
CAP DEV Capability Development
CS SL Cyber Security Service Line
GUI Graphical User Interface
OS Operating System
OSA Operating System Authorities
RHEL Red Hat Enterprise Linux
RHN Red Hat Network
SAA Security Accreditation Authority
XML eXtensible Markup Language
NATO UNCLASSIFIED
-4-
NATO UNCLASSIFIED
Table of Contents
Version History ................................................................................................................................................... 2
References ......................................................................................................................................................... 3
Acronyms ............................................................................................................................................................ 4
1 Introduction ................................................................................................................................................. 7
1.1 Scope of this guide ............................................................................................................................ 7
1.2 Audience ........................................................................................................................................... 7
1.3 How to use this guide ........................................................................................................................ 7
2 Changes in Red Hat Enterprise Linux 7 ..................................................................................................... 9
3 Base server security settings (settings_base.xml) ...................................................................................11

3.1 FILE PERMISSIONS AND MASKS ................................................................................................11
3.2 PROGRAM EXECUTION CONTROL .............................................................................................12
3.3 ACCOUNT AND ACCESS CONTROL ...........................................................................................13
3.4 PASSWORD POLICY .....................................................................................................................15
3.5 PHYSICAL SECURITY ...................................................................................................................17
3.6 WARNING BANNERS.....................................................................................................................20
3.7 SELinux ...........................................................................................................................................21
3.8 NETWORK SECURITY ...................................................................................................................21
3.9 LOGGING AND AUDITING .............................................................................................................24
3.10 SERVICES SETTINGS ...................................................................................................................24
3.11 SSH SETTINGS ..............................................................................................................................26
4 EXTRA AUDIT SCRIPTS .........................................................................................................................30

4.1 empty_password_check ..................................................................................................................30
4.2 legacy_password_check .................................................................................................................30
4.3 users_with_uid_0_check .................................................................................................................30
4.4 suid_sgid_check ..............................................................................................................................30
4.5 unowned_check ..............................................................................................................................30
4.6 world_writable_dirs_check ..............................................................................................................30
4.7 user_home_check ...........................................................................................................................31
NATO UNCLASSIFIED
-5-
NATO UNCLASSIFIED
This page left intentionaly blank
NATO UNCLASSIFIED
-6-
NATO UNCLASSIFIED
1 Introduction
This document explains the rationales and values for the Red Hat Enterprise Linux 7 security
settings, which are mandated in the Cyber Security Service Line (CS SL) guide for Securing
Red Hat Enterprise Linux 7 used in NATO Networks (reference [I]).
1.1 Scope of this guide

RHEL7 Security Settings documentation has been developed in accordance with NATO Policies
and external technical sources on Linux security (see References section).
The settings in this guide are mainly based on “Guide to the Secure Configuration of RHEL6,
National Security Agency (NSA)” (reference [G]), the “Security Configuration Benchmark for
RHEL 7” by The Center for Internet Security (reference [H]) and the “Red Hat Enterprise Linux 7
Security guide, Red Hat” (reference [J]).
This guide has been tested and validated against RHEL 7.0, RHEL 7.1 and RHEL 7.2
Although not tested on other v7 versions, this document is applicable to all version of
RHEL 7, at least up to version 7.2, and very likely without any modification. Would you
experience some issues in regards to compatibility against untested RHEL 7 versions,
please report to CS SL for advice.
1.2 Audience
RHEL7 Security Settings documentation has been developed and formatted mainly for
Technical Support Personnel (i.e. system engineers and network administrators). It is
recommended for INFOSEC personnel to review and comment specifically on RHEL7, where
description of security settings and their rationale are developed in accordance with NATO
Security Policy.
Comments from Technical Support Personnel and INFOSEC Officers are considered essential
to ensure the quality and value of this document. Therefore the Cyber Security Service Line (CS
SL) welcomes the comments to improve the ease of implementation and user friendliness,
which is significant for effectiveness of security measures described in the document.
1.3 How to use this guide

Security Setup information provided in this document is designed for the protection of military
computer networks and, therefore, is significantly more restrictive in comparison with
commercial practices.
Setup information has been developed and validated by a team from Engineering and
Transition branch, Cyber Security Service Line (CS SL), NATO Communications & Information
Agency (NCIA).
Accordingly, it is essential to validate the functional performance of security setting values on a

test-bed, with site-specific applications, prior to operational implementation. Setting values that
are determined to cause conflict with site-specific applications should be identified and
documented, as described in the following sections and Annexes, to assist CS SL in approving
any deviation from this directive (or in amending this document, if appropriate). Input and
NATO UNCLASSIFIED
-7-
NATO UNCLASSIFIED
experiences of operational sites and technical support agencies will be used to amend or
improve the document. Some of the setup information provided might be optional and local sites
may decide to implement as they require. These items would be marked as “OPTIONAL”
throughout the document.
Systems assigned by CS SL at operational NATO sites are required to have a site-specific

version of this document, where deviations from the original setup information are marked and
technical or operational justification noted. Managers of other NATO systems using variants of
this document as guidance are also recommended to adopt a similar procedure.
Even if some of those settings are already provided in the default installation (marked “conforms
to the enforced settings” in Default setting: field), it is still worth to audit them to make sure they
are not modified.
Note: This guide assumes that the reader is a system administrator who is familiar with
the concepts of Operating System Administration on Linux operating systems,
application installation and application configuration.
When this document does not provide sufficient guidance, contact CS SL/CAP DEV
(securitysettings@ncirc.nato.int).
NATO UNCLASSIFIED
-8-
NATO UNCLASSIFIED
2 Changes in Red Hat Enterprise Linux 7

This section describes in a non-exhaustive manner, the main differences between RHEL 6 and
RHEL 7, and that have an impact on the Operating System global security.
Feature RHEL 6 RHEL 7
Kernel Version 2.6.x-x 3.10.x-x
First process init systemd
System and Service manager Upstart (init scripts) Systemd
systemd is a system and service

manager for Linux. It replaces
SysV and Upstart used in
previous releases, while being
compatible legacy init scripts.
Default File System EXT4 XFS
RunLevels Legacy runlevels: from 0 to 6. “runlevels” are replaced by

"targets" :
Default runlevel is defined under
/etc/inittab  Poweroff.target (runelevel 0)
 Rescue.target (runelevel 0)
 Multiuser.target (runelevel
2,3 &4 )
 Graphical.target (runelevel 5)
 Reboot.target (runelevel 6)
Default target is the multiuser

target
Boot Loader Grub 0.97 Grub 2
Service launchers Use the service and systemctl command replaces

chkconfig commands both service and chkconfig
Firewall iptables Firewalld
This is a dynamic firewall, with

much more features. It is not
possible to run iptables and
firewalld at the same time, but
firewalld may be disabled and
iptables used instead
32 bits support Both 32 and 64 bits images No 32 bits images. RHEL 7 is

available now a full 64 bit OS only
NATO UNCLASSIFIED
-9-
NATO UNCLASSIFIED
Feature RHEL 6 RHEL 7
Update mechanism RHN Classic RedHat subscription

Management is the only option
logging Multiple logging daemons journald

running simultaneously (auditd,
rsyslogd…) journald captures the following
types of message for all services:
 syslog messages
 kernel messages
 initial RAM disk and early
boot messages
 messages sent to standard
output and standard error
output.
Compared to the RHEL 6 Security Settings from NCIRC, the following changes have been
made:
 IPV6 no longer disabled

 PAM Configuration adapted to the new RHEL7 standards
 Network redirects addressed in one single setting, and covering IPV6
 IP forwarding redirects addressed in one single setting, and covering IPV6
 Forcing expiration of user passwords after applying the settings is not enforced
anymore.
 Boot protection adapted for GRUB 2
 Account is locked after 5 unsuccessful attempt, and is unlocked automatically after 600
seconds
 Default banner has changed to NOT reflect the classification level.
 Log_martians option removed due to highly verbose logs on some systems
 Iptables rules removed since the default behavior of firewalld addresses all topics
already
 Home directory checks excludes users with nologin
 Warning banner on GUI settings bug fixed (was originally setup at gdm Init)
 Kernel space randomization set to FULL, instead of CONSERVATIVE
NATO UNCLASSIFIED
- 10 -
NATO UNCLASSIFIED
3 Base server security settings (settings_base.xml)
3.1 FILE PERMISSIONS AND MASKS

3.1.1 perm_passwd_security
Setting type: 8 command execution objects (chown and chmod)
System Modification: This setting executes four “chown root:root” and four “chmod”
commands on /etc/passwd, /etc/shadow, /etc/group and
/etc/gshadow files
Enforced setting: This setting enforces the root:root ownership, mode 644 on
/etc/passwd, and /etc/group, and mode 400 on /etc/shadow,
and /etc/gshadow
Default setting: Conforms to the enforced settings
Rationale: These are sensitive password and user information files and should not
be modified (or read for the shadow files) by anyone except root.
3.1.2 perm_set_umask
Setting type: 1 file change object /etc/sysconfig/init
System Modification: This setting adds “umask 027” entry in the /etc/sysconfig/init
file
Enforced setting: User umask is enforced to 027
Default setting: Default umask value is 022
Rationale: This setting changes the default permission of files that are created by
daemon processes. By default, there are writable by the owner, and
readable by groups and others. The setting enforces it to be user
writable, group readable and no access for others. This prevents leaks
of information to users that were not supposed to access it
3.1.3 perm_sticky_worldwritable
Setting type: All world-writable directories have sticky bit set
System Modification: This setting adds the sticky bit permission to all world-writable
directories.
Enforced setting: This setting adds the sticky bit permission to all world-writable
directories.
Default setting: No sticky bits assigned
NATO UNCLASSIFIED
- 11 -
NATO UNCLASSIFIED
Rationale: This settings prevents the ability to delete or rename files in world
writable directories (such as /tmp) that are owned by another user.
3.2 PROGRAM EXECUTION CONTROL

3.2.1 exec_shield
Setting type: 2 file change objects /etc/sysctl.conf
System Modification: This setting adds two lines into the /etc/sysctl.conf file:
kernel.exec-shield = 1
kernel.randomize_va_space = 2
Enforced setting: ExecShield comprises a number of kernel features to provide protection

against buffer overflows. These features include random placement of
the stack and other memory regions, prevention of execution in memory
that should only hold data, and special handling of text buffers.
ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address
as a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process’s
memory regions such as the stack and heap higher than this address,
the hardware prevents execution there.
Default setting: conforms to the enforced settings. Exec-shield protection is enabled by

default, but the sysctl variables kernel.exec-shield and
kernel.randomize va space should be checked to ensure that it
has not been disabled at any time during system operation.
Rationale: This setting enables protections of program execution. The first variable
makes the data section in the program not executable so a potential
exploit cannot place its shellcode there, the second setting randomizes
the address space layout so an exploit writer cannot use fixed buffer
addresses. This makes it harder to use classic exploitation techniques.
3.2.2 core_dumps
Setting type: 2 file change objects /etc/security/limits.conf, and

/etc/sysctl.conf
System Modification: This setting add 1 line in the /etc/security/limits.conf :
* hard core 0
and “fs.suid_dumpable = 0” is being added to

/etc/sysctl.conf
fs.suid_dumpable = 0
NATO UNCLASSIFIED
- 12 -
NATO UNCLASSIFIED
Enforced setting: This setting sets the hard limit of core dump size to 0, which effectively
disables it. Furthermore, the setuid executable core dumps are disabled
at the kernel level.
Default setting: By default, the system sets a soft limit to stop the creation of core dump
files for all users, but not the hard limit. Soft limits can be changed by a
regular user at any moment.
Rationale: Core dumps can contain user-sensitive data and are recommended to
be disabled by enforcing the hard limit to 0. Furthermore, dumping of
setuid executables, which is even more dangerous, should be restricted
at the kernel level.
3.2.3 kptr_restrict
Setting type: 1 file change objects in /etc/sysctl.conf
System Modification: This setting add 1 line in the /etc/sysctl.conf:
“kernel.kptr_restrict = 1”
Enforced setting: This kernel parameter setting uses /proc interfaces to hide exposed
kernel pointers. Kptr_restrict shall be set to 1 which hides the pointers
from regular users but not from root processes.
Default setting: By default, kptr_restrict parameter is set to 0 which does not hide
exposed kernel pointers.
Rationale: Kernel symbol table with memory addresses is exposed via

/proc/kallsyms. This information is used by rootkits in order to
potentially circumvent detection mechanisms. Hiding the kernel pointers
may prevent this vector of the attack.
3.3 ACCOUNT AND ACCESS CONTROL

3.3.1 restrict_root_login
Setting type: 1 command execution object
System Modification: The /etc/securetty file is being replaced
Enforced setting: Replacing the /etc/securetty with one defined by the security
settings that contains only the following devices: console, vc/1 –
11, tty1 – tty11
Rationale: Direct root logins should be allowed only for emergency use. In normal
situations, the administrator should access the system via a unique
NATO UNCLASSIFIED
- 13 -
NATO UNCLASSIFIED
unprivileged account, and use su or sudo to execute privileged

commands. Discouraging administrators from accessing the root
account directly ensures an audit trail in organizations with multiple
administrators. Locking down the channels through which root can
connect directly reduces opportunities for password-guessing against
the root account.
3.3.2 restrict_su
Setting type: 1 file change object /etc/pam.d/su
System Modification: The following line is being added to the above file:
auth required pam_wheel.so use_uid
Enforced setting: Use pam_wheel.so to restrict su to root by users belonging to the wheel
group by modifying the /etc/pam.d/su file accordingly
Default setting: su is not restricted to the wheel group
Rationale: The su command allows a user to gain the privileges of another user by
entering the password for that user’s account. It is desirable to restrict
the root user so that only known administrators are ever allowed to
access the root account. This restricts password-guessing against the
root account by unauthorized users or by accounts which have been
compromised.
3.3.3 user_umask
Setting type: 1 file change object /etc/login.defs
System Modification: “UMASK 077” line is being inserted into the above file
Enforced setting: User umask is enforced to 077
Default setting: conforms to the enforced settings
Rationale: With a default umask setting of 077, files and directories created by
users will not be readable by any other user on the system. Users who
wish to make specific files group- or world-readable can accomplish this
using the chmod command. Additionally, users can make all their files
readable to their group by default by setting a umask of 027 in their shell
configuration files. If default per-user groups exist (that is, if every user
has a default group whose name is the same as that user’s username
and whose only member is the user), then it may even be safe for users
to select a umask of 007, making it very easy to intentionally share files
with groups of which the user is a member.
NATO UNCLASSIFIED
- 14 -
NATO UNCLASSIFIED
3.4 PASSWORD POLICY

3.4.1 password_quality
Setting type: 1 file change object /etc/pam.d/passwd, 2 file changes object in

/etc/security/pwquality.conf and 1 command execution object
System Modification: line is being written to the /etc/pam.d/passwd file:
password required pam_pwquality.so retry=3
and the /etc/security/pwquality.conf file is configured as

follow:
minlen=8
minclass=3
Enforced setting: Password quality parameters are configured in accordance with [D] and
[A]. The parameters are written into the
/etc/security/pwquality.conf file. In particular, the following
values are enforced:
 Password complexity: characters at least from 3 of 4 types: lower

case; upper case; digits and special characters
 Length: at least 8 characters long
Default setting: By default password quality requirements are less strict.
Rationale: Password policy has to conform to NATO requirements. The

pam_pwquality PAM module in RHEL7 replaces the legacy
pam_cracklib module used in RHEL6.
3.4.2 password_history
Setting type: 1 file change object /etc/pam.d/system-auth
System Modification: The line is being written to the above file:

password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authok remember=5
Enforced setting: Password policy parameters are configured in accordance with [Error!
Reference source not found. and [A]. Here, 5 different passwords are
remembered. This means the password cannot be the same as last five
passwords used for the user. Password will be stored using sha512
hashing algorithm.
Default setting: No history enforced, SHA512 is the default
Rationale: Password policy has to conform to NATO requirements
NATO UNCLASSIFIED
- 15 -
NATO UNCLASSIFIED
3.4.3 password_min_age
System Modification: The “PASS_MIN_DAYS 7” entry is being written to the above file.
Enforced setting: Password policy parameters are configured in accordance with [D] and
[A]. Here, password minimum age of 7 days is enforced.
Default setting: Not enforced
3.4.4 password_max_age
System Modification: The “PASS_MAX_DAYS 180” entry is being written to the above file
Enforced setting: Password policy parameters are configured in accordance with [D] and
[A]. Here, password maximum age of 180 days is enforced.
3.4.5 password_change_warning
System Modification: The “PASS_WARN_AGE 14” entry is being written to the above file
Enforced setting: Password policy parameters are configured in accordance with [DError!
Reference source not found.] and [A]. Here, password change
warning message is enforced to be presented to the user 14 days before
the password expires. The values are written into /etc/login.defs
file.
3.4.6 password_locking
Setting type: Multiple file change object /etc/pam.d/system-auth and

/etc/pam.d/password-auth files
System Modification: The following lines are added to the auth section of of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth
files
NATO UNCLASSIFIED
- 16 -
NATO UNCLASSIFIED
auth required pam_faillock.so preauth silent audit deny=5

unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5
unlock_time=600
The following line is also added to the account section of of the

/etc/pam.d/system-auth and /etc/pam.d/password-auth files
account required pam_faillock.so
Finally, two configuration files are also changed into symlinks as follow:
mv /etc/pam.d/system-auth /etc/pam.d/system-auth-local
mv /etc/pam.d/password-auth /etc/pam.d/password-auth-local
ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Enforced setting: Password policy parameters are configured in accordance with [DError!
Reference source not found.] and [A]. Here, lockout occurred after 5
unsuccessful attempts to login, and for a 10 minutes duration period.
Note: this only affect non-root users.
If a system administrator uses the authconfig tool to configure the

password policy, the systemauth and password-auth files will
overwritten with the settings from the authconfig tool. This behavior is
bypassed by creating symbolic links in place of the configuration files,
which authconfig recognizes and does not overwrite.
3.5 PHYSICAL SECURITY

3.5.1 disable_unused_drivers
Setting type: File NCIRC.conf created under /etc/modprodbe.d/
System Modification: The /etc/modprobe.d/NCIRC.conf is added to the system:
# NCIRC MODPROBE SECURITY SETTINGS

# Disable unused Network protocols
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
# Disable unused File Systems
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
NATO UNCLASSIFIED
- 17 -
NATO UNCLASSIFIED
install hfs /bin/true

install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
# Disbale USB Storage driver
install usb_storage /bin/true
# Disable WiFi drivers
install ath /bin/true
install brcm80211 /bin/true
install iwlegacy /bin/true
install iwlwifi /bin/true
install mwifiex /bin/true
install rt2x00 /bin/true
install rtl818x /bin/true
install rtlwifi /bin/true
Enforced setting: Mutliple unused drivers are unloaded from the kernel. This will disable
USB storage driver, all known WiFi drivers, some unused File System
drivers, and unused network protocol as well
Default setting: Unused or unwanted drivers are loaded within the kernel
Rationale: Unused drivers and features should not be used. The modprobe
program used for automatic kernel module loading is therefore
configured not to load these drivers on demand. Removing the USB
storage drivers also prevents Data Leaks through USB devices.
3.5.2 grub_password
Setting type: Mutliple file changes /etc/grub.d/40_custom,

/etc/grub.d/10_linux /boot/grub2/grub.cfg and
/boot/efi/EFI/redhat/grub.cfg
System Modification: Following lines are being added to the /etc/grub.d/40_custom file:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.<passwordhash>
export superusers
where <passwordhash> is the hash of the password that protect the

bootloader
The CLASS variable under the /etc/grub.d/10_linux lines is

modified to make sure the –unrestricted option is set:
CLASS=”--class gnu-linux --class gnu --class os --unrestricted”
The following command is executed to save the changes (the file is

different for a EFI boot or for a regular BIOS boot, hence the test in the
command):
[ -d /sys/firmware/efi ] && echo UEFI || grub2-mkconfig –o
/boot/grub2/grub.cfg || grub2-mkconfig –o
/boot/efi/EFI/redhat/grub.cfg
NATO UNCLASSIFIED
- 18 -
NATO UNCLASSIFIED
Enforced setting: The bootloader password is being required to change the boot
parameters
Default setting: each menuentry is set to “unrestricted” but no password is set.
Rationale: During the boot process, the boot loader is responsible for starting the
execution of the kernel and passing options to it. The boot loader allows
for the selection of different kernels – possibly on different partitions or
media. Options it can pass to the kernel include “single-user mode,”
which provides root access without any authentication, and the ability to
disable SELinux. To prevent local users and physical intruders from
modifying the boot parameters and endangering security, the boot
loader configuration should be protected with a password.
3.5.3 disable_interactive_boot
Setting type: 1 file change object /etc/sysconfig/init
System Modification: One line is being added to the above file:

PROMPT=no
Enforced setting: Interactive boot option is disabled.
Default setting: Interactive boot option is enabled.
Rationale: Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security, therefore it should be
disabled
3.5.4 gui_screen_locking
Setting type: 4 command execution objects
System Modification: “gconftool-2” command is being executed four times. This command
changes the GNOME GConf repository, under branch /apps/gnome-
screensaver
Enforced setting: This setting adjusts the lock screen parameter when working in X
Window GUI. It sets the GUI to be blanked and locked after 10 minutes.
Setting can be disabled/ignored on text mode console systems.
Enforced setting: GUI screen locking is disabled.
Rationale: The settings protect the interactive GUI session that was left unattended,
against a physical intruder. This setting is dictated by [Error! Reference
source not found.]
3.5.5 shell_inactivity
NATO UNCLASSIFIED
- 19 -
NATO UNCLASSIFIED
System Modification: A new “tmout.sh” file is being placed in /etc/profile.d/

containing the following values:
TMOUT=600
readonly TMOUT
export TMOUT
Enforced setting: This setting automatically logs out the user after 10 minutes of inactivity.
Default setting: Not enforced.
Rationale: The setting protects the remote session that was left unattended, against
a physical intruder. This setting is dictated by [AError! Reference
source not found.]
3.6 WARNING BANNERS

3.6.1 etc_issue
Setting type: 2 command execution objects
System Modification: files/etc_issue is copied to /etc/issue and /etc/issue.net
Enforced setting: This setting copies the warning banner contained in files/etc_issue
to /etc/issue and /etc/issue.net. This banner is supposed to
contain system classification and some access restriction information
and will be displayed upon logging in to a shell session. The default
banner is the following:
This NATO system operates in SYSTEM HIGH mode of operation.
By accessing and using this system you are consenting to system

monitoring for law enforcement and other purposes.
UNAUTHORIZED use of this system may subject you to criminal

prosecution and penalties.
Default setting: information about the operating system is displayed as a banner by

default.
Rationale: Warning banners are important part of security awareness. Also, the
default banner displays information about the system configuration
which could help an attacker to exploit vulnerability. Therefore, custom
made banners should be implemented.
3.6.2 gui_afterlogin
Setting type: 1 file change object /etc/gdm/PreSession/Default
System Modification: Inserts the line in the above file that calls the “xmessage” program:
zenity --text-info --filename=/etc/issue --title="LOGIN WARNING"
NATO UNCLASSIFIED
- 20 -
NATO UNCLASSIFIED
Enforced setting: This makes a dialog box displayed upon the start of the login manager.
The content of the files/etc_issue will be displayed in the dialog
box.
Default setting: No dialog box with the warning banner is displayed
Rationale: Warning banners are important part of security awareness.
3.7 SELinux
3.7.1 enable_selinux
Setting type: 2 file change object /etc/selinux/config
System Modification: 2 lines are being added to the above file:

SELINUX=enforcing
SELINUXTYPE=targeted
Enforced setting: SElinux is set up to be launched in enforcing targeted mode.
Rationale: SELinux is a feature of the Linux kernel which can be used to guard
against misconfigured or compromised programs. SELinux enforces the
idea that programs should be limited in what files they can access and
what actions they can take.
The default SELinux policy, as configured on RHEL7, has been

sufficiently developed and debugged that it should be usable on almost
any Red Hat machine with minimal configuration and a small amount of
system administrator training. This policy prevents system services —
including most of the common network-visible services such as mail
servers, ftp servers, and DNS servers — from accessing files which
those services have no valid reason to access. This action alone
prevents a huge amount of possible damage from network attacks
against services, from trojaned software, and so forth.
3.8 NETWORK SECURITY

3.8.1 network_disable_ip_forwarding
Setting type: 5 file change object /etc/sysctl.conf

net.ipv4.ip_forward=0
net.ipv4.conf.all.forwarding=0
net.ipv6.conf.all.forwarding=0
net.ipv4.conf.all.mc_forwarding=0
net.ipv6.conf.all.mc_forwarding=0
Enforced setting: IP forwarding is disabled

NATO UNCLASSIFIED
- 21 -
NATO UNCLASSIFIED
Rationale: If the host does not function as router, the routing capabilities should be
disabled. Otherwise, it can be used as a malicious proxy to relay the
traffic.
3.8.2 network_redirects

net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
Enforced setting: The sending and acceptance of redirect packets is switched off.
Rationale: These are legacy features and should be disabled under normal
condition. If not, they can be used to disclose network topology
information, or be used in man-in-the-middle attacks where an attacker
spoofs the legitimate gateway
3.8.3 network_disable_source_routing

net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
Enforced setting: The source routing feature is switched off.
Rationale: These are legacy features and should be disabled under normal
condition. If not, they can be used to disclose network topology
information.
3.8.4 network_ignore_broadcasts
System Modification: 1 line is being added to the above file:
net.ipv4.icmp_echo_ignore_broadcasts=1
NATO UNCLASSIFIED
- 22 -
NATO UNCLASSIFIED
Enforced setting: The ICMP traffic is ignored when sent to broadcast addresses.
Rationale: This setting protects against ICMP attacks
3.8.5 network_ignore_bogus_error_messages

net.ipv4.icmp_ignore_bogus_error_responses=1
Enforced setting: Broken ICMP error messages will not be processed by the network
stack.
Rationale: This setting protects against ICMP attacks
3.8.6 network_tcp_syncookies
net.ipv4.tcp_syncookies=1
Enforced setting: The tcp_syncookies flood protection feature is enabled.
Rationale: The tcp syncookies option uses a cryptographic feature called SYN
cookies to allow machines to continue to accept legitimate connections
when faced with a SYN flood attack.
3.8.7 network_disable_ipv6_ra
Setting type: 1 systemctl changes objects /etc/sysctl.conf
System Modification: multiple lines are being added to the above file:
net.ipv6.conf.*.accept_ra=0
number of lines and its exact content depends on the number of network
interfaces in the system.
Enforced setting: The IPV6 Router Advertisements are ignored.
Default setting: IPV6 Router Advertisements are accepted.
Rationale: It is recommended that systems not accept router advertisements as

they could be tricked into routing traffic to compromised machines.
NATO UNCLASSIFIED
- 23 -
NATO UNCLASSIFIED
Setting hard routes within the system (usually a single default route to a
trusted router) protects the system from bad routes.
3.8.8 network_rp_filter
Setting type: 2 file changes objects /etc/sysctl.conf

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
Enforced setting: The reverse path validation filter is enabled.
Rationale: The rp filter option enables RFC-recommended source validation which

helps against the IP spoofing attacks.
3.9 LOGGING AND AUDITING

3.9.1 enable_auditd
Setting type: 1 service state object
System Modification: Service “auditd” is being enabled
Enforced setting: The auditing of the system is enabled
Default setting: Auditing is enabled
Rationale: Auditing provides attribution information and should therefore be

enabled
3.9.2 enable_rsyslog
System Modification: Service “rsyslog” is being enabled
Enforced setting: The auditing of the system is enabled
Default setting: Auditing is enabled
Rationale: Auditing provides attribution information and should therefore be

enabled
3.10 SERVICES SETTINGS

3.10.1 enable_firewalld
NATO UNCLASSIFIED
- 24 -
NATO UNCLASSIFIED
System Modification: Service “firewalld” is being enabled
Enforced setting: The “firewalld” service is enabled
Default setting: The “firewalld” service is enabled
Rationale: The daemon provide firewall features and therefore should be enabled.
3.10.2 disable_avahi
System Modification: Service “avahi-daemon” is being disabled
Enforced setting: The “avahi-daemon” service is disabled
Default setting: The “avahi-daemon” service is disabled
Rationale: This daemon provides auto configuration for networking and is not
normally required and should be disabled.
3.10.3 disable_rhnsd
System Modification: Service “rhnsd” is being disabled
Enforced setting: The “rhnsd” service is disabled
Default setting: The “rhnsd” service is disabled
Rationale: The rhnsd daemon polls the Red Hat Network web site for scheduled
actions. Unless it is actually necessary to schedule updates remotely
through the RHN website, it is recommended that the service be
disabled.
3.10.4 disable_postfix
System Modification: Service “postfix” is being disabled
Enforced setting: The “postfix” service is disabled
Default setting: The “postfix” service is enabled
Rationale: The postfix daemon provides the Mail Transport Agent (MTA) services.
Unless the host is used as a mail relay, this service should be disabled
3.10.5 disable_rhsmcertd
NATO UNCLASSIFIED
- 25 -
NATO UNCLASSIFIED
System Modification: Service “rhsmcertd” is being disabled
Enforced setting: The “rhsmcertd” service is disabled
Default setting: The “rhsmcertd” service is disabled
Rationale: The rhsmcertd process runs periodically to check for changes in the
subscriptions available to a machine by updating the entitlement
certificates installed on the machine and by installing new entitlement
certificates as they're available. As this might exposed potential
vulnerabilities to a remote attacker, this service should be disabled.
3.10.6 enable_sshd
System Modification: Service “sshd” is being enabled
Enforced setting: The “sshd” service is enabled
Default setting: The “sshd” service is enabled
Rationale: sshd is the Secure Shell Service. This setting makes sure this is
activated by default.
3.11 SSH SETTINGS

3.11.1 ssh_client_hardening
Setting type: 1 file change object
System Modification: The following line is being added to the /etc/ssh/ssh_config file:
Protocol 2
Enforced setting: SSH client software will only be allowed to use SSH protocol version 2
Default setting: SSH client software tries to use SSH version 2. When it fails, it will use
version 1
Rationale: Version 1 of the protocol contains security vulnerabilities and should

therefore be not allowed.
3.11.2 sshd_port_22
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
Port 22
Enforced setting: SSH server will only listen on port 22.
NATO UNCLASSIFIED
- 26 -
NATO UNCLASSIFIED
Default setting: Conforms to the enforced settings.
Rationale: No unknown ports should be used for SSH connections. If a different

port is to be used, the value can be explicitly changed
3.11.3 sshd_protocol_2
Protocol 2
Enforced setting: SSH server will only allow connection with protocol version 2
Rationale: Version 1 of the protocol contains security vulnerabilities and should

therefore be disabled
3.11.4 sshd_loglevel_verbose
LogLevel VERBOSE
Enforced setting: The logging level of the SSH server is being increased.
Default setting: The logging level is set to INFO
Rationale: The logging level should be increased to track down potential attack
attempts
3.11.5 sshd_deny_root_logins
PermitRootLogin no
Enforced setting: Direct root login are not allowed.
Rationale: Due to lack of attribution problem, direct root logins should not be
allowed. To reach root permissions, regular user login should be
performed and su/sudo command should follow.
3.11.6 sshd_disable_rsa
NATO UNCLASSIFIED
- 27 -
NATO UNCLASSIFIED
RhostsRSAAuthentication no
Enforced setting: RSA key authentication is denied to users.
Rationale: This authentication scheme allows users to generate private key and
public key pair, store the private key on the local host and public key on
the remote host in their home directories, and further authenticate to this
remote host without entering any password. As user should not store his
private key unprotected, this authentication scheme should be disabled.
This could exceptionally be used for scripts to perform remote tasks, but
has to be consulted with CS SL.
3.11.7 sshd_disable_hostbased
HostbasedAuthentication no”
Enforced setting: Host based authentication is disabled.
Rationale: Host based authentication is the authentication based solely on the

client’s source address/domain. As it poses a serious security risk, it
should be disabled.
3.11.8 sshd_ignore_rhosts
IgnoreRhosts yes
Enforced setting: .rhost file is being ignored during a connection attempt.
Rationale: Rhost authentication is an obsolete mechanism and should be disabled.
3.11.9 sshd_deny_empty_passwords
PermitEmptyPasswords no
NATO UNCLASSIFIED
- 28 -
NATO UNCLASSIFIED
Enforced setting: Empty passwords are not allowed
Rationale: Empty passwords are obvious security risk and should not be allowed.
3.11.10 sshd_banner
Banner /etc/issue.net
Enforced setting: The security login banner will displayed upon logging in to a remote host
Default setting: No banner is configured
Rationale: Security login banners are essential part of CS SL security strategy, and
should be displayed upon each login attempt to a system.
NATO UNCLASSIFIED
- 29 -
NATO UNCLASSIFIED
4 EXTRA AUDIT SCRIPTS

The following setting items concern only the audit mode.
4.1 empty_password_check
Security check: The item is checking if there are any empty passwords.
Rationale: Empty passwords are obvious security risk and should not be allowed
4.2 legacy_password_check
Security check: The item is checking if there are any passwords implemented with a
legacy method (containing the “+” sign at the beginning of an entry).
Rationale: Empty passwords are obvious security risk and should not be allowed
4.3 users_with_uid_0_check
Security check: The item is checking for additional (to root) users with UID equal to 0.
Rationale: All users whose UID is 0 have full root rights. To maintain strict control
over the system, only a proper “root” user should have UID 0.
4.4 suid_sgid_check
Security check: The item is checking for any SUID/SGID executable files in addition to
those coming with the distribution.
Rationale: SUID/SGID files pose significant security risk as they can elevate their
privileges without authentication. Therefore, there should be no
additional unauthorized SUID/SGID files except those which come with
the system.
4.5 unowned_check
Security check: The item is checking for any files that have no valid owner / owning
group.
Rationale: There should be no unowned files on the file system as this can break
the security policy; new users could by accident gain access to these
files if their new UID equals the one of the unowned file.
4.6 world_writable_dirs_check
NATO UNCLASSIFIED
- 30 -
NATO UNCLASSIFIED
Security check: The item is checking is there are directories that can be written by
anyone.
Rationale: World writable directories are serious security risk, as anyone can
write/delete files and directories to such a directory.
4.7 user_home_check
Security check: The item is checking if all home folders have proper permissions 700
(are readable and writable only by owning user).
Rationale: Only the owning user should have control over his home directory
NATO UNCLASSIFIED
- 31 -

NU 1326 1.1 RHEL7 Descriptions and Values

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NU 1326 1.1 RHEL7 Descriptions and Values

Hochgeladen von

Copyright:

Verfügbare Formate

NATO UNCLASSIFIED

Security Settings for

CS SL guide for Securing RHEL7 servers used in NATO networks

Cyber Security Service Line RHEL 7 Security Settings

Version Date Notes

Cyber Security Service Line RHEL 7 Security Settings

B. C-M(2002)49, NATO Security Policy, 17 June 2002.

C. AD 70-1, ACO Security Directive, January 2009.

D. AC/322-D/0048-REV2, INFOSEC Technical and Implementation Directive for Computer

E. AC/322-D/0030-REV5, INFOSEC Technical and Implementation Directive for the

G. Guide to the Secure Configuration of RHEL6, National Security Agency (NSA),

J. Red Hat Enterprise Linux 7 Security Guide – Red Hat 2015

Cyber Security Service Line RHEL 7 Security Settings

Cyber Security Service Line RHEL 7 Security Settings

2 Changes in Red Hat Enterprise Linux 7 ..................................................................................................... 9

3 Base server security settings (settings_base.xml) ...................................................................................11

4 EXTRA AUDIT SCRIPTS .........................................................................................................................30

Cyber Security Service Line RHEL 7 Security Settings

This page left intentionaly blank

Cyber Security Service Line RHEL 7 Security Settings

1.1 Scope of this guide

1.3 How to use this guide

Accordingly, it is essential to validate the functional performance of security setting values on a

Cyber Security Service Line RHEL 7 Security Settings

Systems assigned by CS SL at operational NATO sites are required to have a site-specific

Cyber Security Service Line RHEL 7 Security Settings

2 Changes in Red Hat Enterprise Linux 7

Feature RHEL 6 RHEL 7

Kernel Version 2.6.x-x 3.10.x-x

First process init systemd

System and Service manager Upstart (init scripts) Systemd

systemd is a system and service

Default File System EXT4 XFS

RunLevels Legacy runlevels: from 0 to 6. “runlevels” are replaced by

Default target is the multiuser

Boot Loader Grub 0.97 Grub 2

Service launchers Use the service and systemctl command replaces

Firewall iptables Firewalld

This is a dynamic firewall, with

32 bits support Both 32 and 64 bits images No 32 bits images. RHEL 7 is

Cyber Security Service Line RHEL 7 Security Settings

Feature RHEL 6 RHEL 7

Update mechanism RHN Classic RedHat subscription

logging Multiple logging daemons journald

 IPV6 no longer disabled

Cyber Security Service Line RHEL 7 Security Settings

3 Base server security settings (settings_base.xml)

3.1 FILE PERMISSIONS AND MASKS

Setting type: 8 command execution objects (chown and chmod)

Default setting: Conforms to the enforced settings

Setting type: 1 file change object /etc/sysconfig/init

Enforced setting: User umask is enforced to 027

Default setting: Default umask value is 022

Setting type: All world-writable directories have sticky bit set

Default setting: No sticky bits assigned

Cyber Security Service Line RHEL 7 Security Settings

3.2 PROGRAM EXECUTION CONTROL

Setting type: 2 file change objects /etc/sysctl.conf

Enforced setting: ExecShield comprises a number of kernel features to provide protection

Default setting: conforms to the enforced settings. Exec-shield protection is enabled by

Setting type: 2 file change objects /etc/security/limits.conf, and

System Modification: This setting add 1 line in the /etc/security/limits.conf :

and “fs.suid_dumpable = 0” is being added to

Cyber Security Service Line RHEL 7 Security Settings