NU 1326 1.1 RHEL7 Descriptions and Values
NU 1326 1.1 RHEL7 Descriptions and Values
NU 1326 1.1 RHEL7 Descriptions and Values
Cyber Security
Service Line
(CS SL)
March 2017
Originator:
Capability Development/Engineering and Transition
Cyber Security Service Line
NCN 254-2083 or 6892
Civil +32 (0)65-44-2083 or 6892
CS SL/CAP DEV, as part of its continual improvement process, welcomes comments on this
document. Comments can be emailed to securitysettings@ncirc.nato.int
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Version History
Cyber Security Service Line (CS SL) will maintain this document to include further amendments
due either to changes in the RHEL software (i.e. new features, patches, releases, etc.) or
developments within the NATO CIS for which this document is applicable.
Author JC Gallard
Review Slawomir Roginski
NATO UNCLASSIFIED
V 1.0.1 December 2015
-2-
NATO UNCLASSIFIED
References
A. AC/35-D/2005- REV2, INFOSEC Management Directive for CIS, 18 October 2010
F. SHAPE CCP: 047/03 – “Change to NATO CONFIDENTIAL (NC) and NATO SECRET (NS)
ACE CISs Baselines User Password Parameters”
H. Security Configuration Benchmark for RHEL 7, The Center for Internet Security,
http://cisecurity.org
I. CS SL guide for Securing RHEL7 servers used in NATO networks, version 1.1, Mar. 2017
NATO UNCLASSIFIED
V 1.0.1 December 2015
-3-
NATO UNCLASSIFIED
Acronyms
AFPL Approved Fielded Products List
ASCII American Standard Code for Information Exchange
CAP DEV Capability Development
CS SL Cyber Security Service Line
GUI Graphical User Interface
OS Operating System
OSA Operating System Authorities
RHEL Red Hat Enterprise Linux
RHN Red Hat Network
SAA Security Accreditation Authority
XML eXtensible Markup Language
NATO UNCLASSIFIED
V 1.0.1 December 2015
-4-
NATO UNCLASSIFIED
Table of Contents
Version History ................................................................................................................................................... 2
References ......................................................................................................................................................... 3
Acronyms ............................................................................................................................................................ 4
1 Introduction ................................................................................................................................................. 7
1.1 Scope of this guide ............................................................................................................................ 7
1.2 Audience ........................................................................................................................................... 7
1.3 How to use this guide ........................................................................................................................ 7
NATO UNCLASSIFIED
V 1.0.1 December 2015
-5-
NATO UNCLASSIFIED
NATO UNCLASSIFIED
V 1.0.1 December 2015
-6-
NATO UNCLASSIFIED
1 Introduction
This document explains the rationales and values for the Red Hat Enterprise Linux 7 security
settings, which are mandated in the Cyber Security Service Line (CS SL) guide for Securing
Red Hat Enterprise Linux 7 used in NATO Networks (reference [I]).
The settings in this guide are mainly based on “Guide to the Secure Configuration of RHEL6,
National Security Agency (NSA)” (reference [G]), the “Security Configuration Benchmark for
RHEL 7” by The Center for Internet Security (reference [H]) and the “Red Hat Enterprise Linux 7
Security guide, Red Hat” (reference [J]).
This guide has been tested and validated against RHEL 7.0, RHEL 7.1 and RHEL 7.2
Although not tested on other v7 versions, this document is applicable to all version of
RHEL 7, at least up to version 7.2, and very likely without any modification. Would you
experience some issues in regards to compatibility against untested RHEL 7 versions,
please report to CS SL for advice.
1.2 Audience
RHEL7 Security Settings documentation has been developed and formatted mainly for
Technical Support Personnel (i.e. system engineers and network administrators). It is
recommended for INFOSEC personnel to review and comment specifically on RHEL7, where
description of security settings and their rationale are developed in accordance with NATO
Security Policy.
Comments from Technical Support Personnel and INFOSEC Officers are considered essential
to ensure the quality and value of this document. Therefore the Cyber Security Service Line (CS
SL) welcomes the comments to improve the ease of implementation and user friendliness,
which is significant for effectiveness of security measures described in the document.
Setup information has been developed and validated by a team from Engineering and
Transition branch, Cyber Security Service Line (CS SL), NATO Communications & Information
Agency (NCIA).
NATO UNCLASSIFIED
V 1.0.1 December 2015
-7-
NATO UNCLASSIFIED
experiences of operational sites and technical support agencies will be used to amend or
improve the document. Some of the setup information provided might be optional and local sites
may decide to implement as they require. These items would be marked as “OPTIONAL”
throughout the document.
Even if some of those settings are already provided in the default installation (marked “conforms
to the enforced settings” in Default setting: field), it is still worth to audit them to make sure they
are not modified.
Note: This guide assumes that the reader is a system administrator who is familiar with
the concepts of Operating System Administration on Linux operating systems,
application installation and application configuration.
When this document does not provide sufficient guidance, contact CS SL/CAP DEV
(securitysettings@ncirc.nato.int).
NATO UNCLASSIFIED
V 1.0.1 December 2015
-8-
NATO UNCLASSIFIED
NATO UNCLASSIFIED
V 1.0.1 December 2015
-9-
NATO UNCLASSIFIED
syslog messages
kernel messages
initial RAM disk and early
boot messages
messages sent to standard
output and standard error
output.
Compared to the RHEL 6 Security Settings from NCIRC, the following changes have been
made:
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 10 -
NATO UNCLASSIFIED
System Modification: This setting executes four “chown root:root” and four “chmod”
commands on /etc/passwd, /etc/shadow, /etc/group and
/etc/gshadow files
Enforced setting: This setting enforces the root:root ownership, mode 644 on
/etc/passwd, and /etc/group, and mode 400 on /etc/shadow,
and /etc/gshadow
Rationale: These are sensitive password and user information files and should not
be modified (or read for the shadow files) by anyone except root.
3.1.2 perm_set_umask
System Modification: This setting adds “umask 027” entry in the /etc/sysconfig/init
file
Rationale: This setting changes the default permission of files that are created by
daemon processes. By default, there are writable by the owner, and
readable by groups and others. The setting enforces it to be user
writable, group readable and no access for others. This prevents leaks
of information to users that were not supposed to access it
3.1.3 perm_sticky_worldwritable
System Modification: This setting adds the sticky bit permission to all world-writable
directories.
Enforced setting: This setting adds the sticky bit permission to all world-writable
directories.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 11 -
NATO UNCLASSIFIED
Rationale: This settings prevents the ability to delete or rename files in world
writable directories (such as /tmp) that are owned by another user.
System Modification: This setting adds two lines into the /etc/sysctl.conf file:
kernel.exec-shield = 1
kernel.randomize_va_space = 2
Rationale: This setting enables protections of program execution. The first variable
makes the data section in the program not executable so a potential
exploit cannot place its shellcode there, the second setting randomizes
the address space layout so an exploit writer cannot use fixed buffer
addresses. This makes it harder to use classic exploitation techniques.
3.2.2 core_dumps
* hard core 0
fs.suid_dumpable = 0
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 12 -
NATO UNCLASSIFIED
Enforced setting: This setting sets the hard limit of core dump size to 0, which effectively
disables it. Furthermore, the setuid executable core dumps are disabled
at the kernel level.
Default setting: By default, the system sets a soft limit to stop the creation of core dump
files for all users, but not the hard limit. Soft limits can be changed by a
regular user at any moment.
Rationale: Core dumps can contain user-sensitive data and are recommended to
be disabled by enforcing the hard limit to 0. Furthermore, dumping of
setuid executables, which is even more dangerous, should be restricted
at the kernel level.
3.2.3 kptr_restrict
“kernel.kptr_restrict = 1”
Enforced setting: This kernel parameter setting uses /proc interfaces to hide exposed
kernel pointers. Kptr_restrict shall be set to 1 which hides the pointers
from regular users but not from root processes.
Default setting: By default, kptr_restrict parameter is set to 0 which does not hide
exposed kernel pointers.
Enforced setting: Replacing the /etc/securetty with one defined by the security
settings that contains only the following devices: console, vc/1 –
11, tty1 – tty11
Rationale: Direct root logins should be allowed only for emergency use. In normal
situations, the administrator should access the system via a unique
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 13 -
NATO UNCLASSIFIED
3.3.2 restrict_su
System Modification: The following line is being added to the above file:
auth required pam_wheel.so use_uid
Enforced setting: Use pam_wheel.so to restrict su to root by users belonging to the wheel
group by modifying the /etc/pam.d/su file accordingly
Rationale: The su command allows a user to gain the privileges of another user by
entering the password for that user’s account. It is desirable to restrict
the root user so that only known administrators are ever allowed to
access the root account. This restricts password-guessing against the
root account by unauthorized users or by accounts which have been
compromised.
3.3.3 user_umask
System Modification: “UMASK 077” line is being inserted into the above file
Rationale: With a default umask setting of 077, files and directories created by
users will not be readable by any other user on the system. Users who
wish to make specific files group- or world-readable can accomplish this
using the chmod command. Additionally, users can make all their files
readable to their group by default by setting a umask of 027 in their shell
configuration files. If default per-user groups exist (that is, if every user
has a default group whose name is the same as that user’s username
and whose only member is the user), then it may even be safe for users
to select a umask of 007, making it very easy to intentionally share files
with groups of which the user is a member.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 14 -
NATO UNCLASSIFIED
Enforced setting: Password quality parameters are configured in accordance with [D] and
[A]. The parameters are written into the
/etc/security/pwquality.conf file. In particular, the following
values are enforced:
3.4.2 password_history
Enforced setting: Password policy parameters are configured in accordance with [Error!
Reference source not found. and [A]. Here, 5 different passwords are
remembered. This means the password cannot be the same as last five
passwords used for the user. Password will be stored using sha512
hashing algorithm.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 15 -
NATO UNCLASSIFIED
3.4.3 password_min_age
System Modification: The “PASS_MIN_DAYS 7” entry is being written to the above file.
Enforced setting: Password policy parameters are configured in accordance with [D] and
[A]. Here, password minimum age of 7 days is enforced.
3.4.4 password_max_age
System Modification: The “PASS_MAX_DAYS 180” entry is being written to the above file
Enforced setting: Password policy parameters are configured in accordance with [D] and
[A]. Here, password maximum age of 180 days is enforced.
3.4.5 password_change_warning
System Modification: The “PASS_WARN_AGE 14” entry is being written to the above file
Enforced setting: Password policy parameters are configured in accordance with [DError!
Reference source not found.] and [A]. Here, password change
warning message is enforced to be presented to the user 14 days before
the password expires. The values are written into /etc/login.defs
file.
3.4.6 password_locking
System Modification: The following lines are added to the auth section of of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth
files
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 16 -
NATO UNCLASSIFIED
Finally, two configuration files are also changed into symlinks as follow:
mv /etc/pam.d/system-auth /etc/pam.d/system-auth-local
mv /etc/pam.d/password-auth /etc/pam.d/password-auth-local
ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Enforced setting: Password policy parameters are configured in accordance with [DError!
Reference source not found.] and [A]. Here, lockout occurred after 5
unsuccessful attempts to login, and for a 10 minutes duration period.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 17 -
NATO UNCLASSIFIED
Enforced setting: Mutliple unused drivers are unloaded from the kernel. This will disable
USB storage driver, all known WiFi drivers, some unused File System
drivers, and unused network protocol as well
Default setting: Unused or unwanted drivers are loaded within the kernel
Rationale: Unused drivers and features should not be used. The modprobe
program used for automatic kernel module loading is therefore
configured not to load these drivers on demand. Removing the USB
storage drivers also prevents Data Leaks through USB devices.
3.5.2 grub_password
System Modification: Following lines are being added to the /etc/grub.d/40_custom file:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.<passwordhash>
export superusers
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 18 -
NATO UNCLASSIFIED
Enforced setting: The bootloader password is being required to change the boot
parameters
Rationale: During the boot process, the boot loader is responsible for starting the
execution of the kernel and passing options to it. The boot loader allows
for the selection of different kernels – possibly on different partitions or
media. Options it can pass to the kernel include “single-user mode,”
which provides root access without any authentication, and the ability to
disable SELinux. To prevent local users and physical intruders from
modifying the boot parameters and endangering security, the boot
loader configuration should be protected with a password.
3.5.3 disable_interactive_boot
Rationale: Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security, therefore it should be
disabled
3.5.4 gui_screen_locking
System Modification: “gconftool-2” command is being executed four times. This command
changes the GNOME GConf repository, under branch /apps/gnome-
screensaver
Enforced setting: This setting adjusts the lock screen parameter when working in X
Window GUI. It sets the GUI to be blanked and locked after 10 minutes.
Setting can be disabled/ignored on text mode console systems.
Rationale: The settings protect the interactive GUI session that was left unattended,
against a physical intruder. This setting is dictated by [Error! Reference
source not found.]
3.5.5 shell_inactivity
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 19 -
NATO UNCLASSIFIED
Enforced setting: This setting automatically logs out the user after 10 minutes of inactivity.
Rationale: The setting protects the remote session that was left unattended, against
a physical intruder. This setting is dictated by [AError! Reference
source not found.]
Enforced setting: This setting copies the warning banner contained in files/etc_issue
to /etc/issue and /etc/issue.net. This banner is supposed to
contain system classification and some access restriction information
and will be displayed upon logging in to a shell session. The default
banner is the following:
This NATO system operates in SYSTEM HIGH mode of operation.
Rationale: Warning banners are important part of security awareness. Also, the
default banner displays information about the system configuration
which could help an attacker to exploit vulnerability. Therefore, custom
made banners should be implemented.
3.6.2 gui_afterlogin
System Modification: Inserts the line in the above file that calls the “xmessage” program:
zenity --text-info --filename=/etc/issue --title="LOGIN WARNING"
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 20 -
NATO UNCLASSIFIED
Enforced setting: This makes a dialog box displayed upon the start of the login manager.
The content of the files/etc_issue will be displayed in the dialog
box.
3.7 SELinux
3.7.1 enable_selinux
Rationale: SELinux is a feature of the Linux kernel which can be used to guard
against misconfigured or compromised programs. SELinux enforces the
idea that programs should be limited in what files they can access and
what actions they can take.
Rationale: If the host does not function as router, the routing capabilities should be
disabled. Otherwise, it can be used as a malicious proxy to relay the
traffic.
3.8.2 network_redirects
Enforced setting: The sending and acceptance of redirect packets is switched off.
Rationale: These are legacy features and should be disabled under normal
condition. If not, they can be used to disclose network topology
information, or be used in man-in-the-middle attacks where an attacker
spoofs the legitimate gateway
3.8.3 network_disable_source_routing
Rationale: These are legacy features and should be disabled under normal
condition. If not, they can be used to disclose network topology
information.
3.8.4 network_ignore_broadcasts
net.ipv4.icmp_echo_ignore_broadcasts=1
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 22 -
NATO UNCLASSIFIED
Enforced setting: The ICMP traffic is ignored when sent to broadcast addresses.
3.8.5 network_ignore_bogus_error_messages
Enforced setting: Broken ICMP error messages will not be processed by the network
stack.
3.8.6 network_tcp_syncookies
net.ipv4.tcp_syncookies=1
Rationale: The tcp syncookies option uses a cryptographic feature called SYN
cookies to allow machines to continue to accept legitimate connections
when faced with a SYN flood attack.
3.8.7 network_disable_ipv6_ra
System Modification: multiple lines are being added to the above file:
net.ipv6.conf.*.accept_ra=0
number of lines and its exact content depends on the number of network
interfaces in the system.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 23 -
NATO UNCLASSIFIED
Setting hard routes within the system (usually a single default route to a
trusted router) protects the system from bad routes.
3.8.8 network_rp_filter
3.9.2 enable_rsyslog
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 24 -
NATO UNCLASSIFIED
Rationale: The daemon provide firewall features and therefore should be enabled.
3.10.2 disable_avahi
Rationale: This daemon provides auto configuration for networking and is not
normally required and should be disabled.
3.10.3 disable_rhnsd
Rationale: The rhnsd daemon polls the Red Hat Network web site for scheduled
actions. Unless it is actually necessary to schedule updates remotely
through the RHN website, it is recommended that the service be
disabled.
3.10.4 disable_postfix
Rationale: The postfix daemon provides the Mail Transport Agent (MTA) services.
Unless the host is used as a mail relay, this service should be disabled
3.10.5 disable_rhsmcertd
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 25 -
NATO UNCLASSIFIED
Rationale: The rhsmcertd process runs periodically to check for changes in the
subscriptions available to a machine by updating the entitlement
certificates installed on the machine and by installing new entitlement
certificates as they're available. As this might exposed potential
vulnerabilities to a remote attacker, this service should be disabled.
3.10.6 enable_sshd
Rationale: sshd is the Secure Shell Service. This setting makes sure this is
activated by default.
System Modification: The following line is being added to the /etc/ssh/ssh_config file:
Protocol 2
Enforced setting: SSH client software will only be allowed to use SSH protocol version 2
Default setting: SSH client software tries to use SSH version 2. When it fails, it will use
version 1
3.11.2 sshd_port_22
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
Port 22
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 26 -
NATO UNCLASSIFIED
3.11.3 sshd_protocol_2
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
Protocol 2
Enforced setting: SSH server will only allow connection with protocol version 2
3.11.4 sshd_loglevel_verbose
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
LogLevel VERBOSE
Enforced setting: The logging level of the SSH server is being increased.
Rationale: The logging level should be increased to track down potential attack
attempts
3.11.5 sshd_deny_root_logins
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
PermitRootLogin no
Rationale: Due to lack of attribution problem, direct root logins should not be
allowed. To reach root permissions, regular user login should be
performed and su/sudo command should follow.
3.11.6 sshd_disable_rsa
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 27 -
NATO UNCLASSIFIED
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
RhostsRSAAuthentication no
Rationale: This authentication scheme allows users to generate private key and
public key pair, store the private key on the local host and public key on
the remote host in their home directories, and further authenticate to this
remote host without entering any password. As user should not store his
private key unprotected, this authentication scheme should be disabled.
This could exceptionally be used for scripts to perform remote tasks, but
has to be consulted with CS SL.
3.11.7 sshd_disable_hostbased
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
HostbasedAuthentication no”
3.11.8 sshd_ignore_rhosts
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
IgnoreRhosts yes
3.11.9 sshd_deny_empty_passwords
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
PermitEmptyPasswords no
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 28 -
NATO UNCLASSIFIED
Rationale: Empty passwords are obvious security risk and should not be allowed.
3.11.10 sshd_banner
System Modification: The following line is being added to the /etc/ssh/sshd_config file:
Banner /etc/issue.net
Enforced setting: The security login banner will displayed upon logging in to a remote host
Rationale: Security login banners are essential part of CS SL security strategy, and
should be displayed upon each login attempt to a system.
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 29 -
NATO UNCLASSIFIED
4.1 empty_password_check
Setting type: 1 command execution object
Security check: The item is checking if there are any empty passwords.
Rationale: Empty passwords are obvious security risk and should not be allowed
4.2 legacy_password_check
Setting type: 1 command execution object
Security check: The item is checking if there are any passwords implemented with a
legacy method (containing the “+” sign at the beginning of an entry).
Rationale: Empty passwords are obvious security risk and should not be allowed
4.3 users_with_uid_0_check
Setting type: 1 command execution object
Security check: The item is checking for additional (to root) users with UID equal to 0.
Rationale: All users whose UID is 0 have full root rights. To maintain strict control
over the system, only a proper “root” user should have UID 0.
4.4 suid_sgid_check
Setting type: 1 command execution object
Security check: The item is checking for any SUID/SGID executable files in addition to
those coming with the distribution.
Rationale: SUID/SGID files pose significant security risk as they can elevate their
privileges without authentication. Therefore, there should be no
additional unauthorized SUID/SGID files except those which come with
the system.
4.5 unowned_check
Setting type: 1 command execution object
Security check: The item is checking for any files that have no valid owner / owning
group.
Rationale: There should be no unowned files on the file system as this can break
the security policy; new users could by accident gain access to these
files if their new UID equals the one of the unowned file.
4.6 world_writable_dirs_check
Setting type: 1 command execution object
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 30 -
NATO UNCLASSIFIED
Security check: The item is checking is there are directories that can be written by
anyone.
Rationale: World writable directories are serious security risk, as anyone can
write/delete files and directories to such a directory.
4.7 user_home_check
Setting type: 1 command execution object
Security check: The item is checking if all home folders have proper permissions 700
(are readable and writable only by owning user).
Rationale: Only the owning user should have control over his home directory
NATO UNCLASSIFIED
V 1.0.1 December 2015
- 31 -