This site requires JavaScript to be enabled
Welcome|
Recent searches
IE BUMPER
KB0016229

MSS Linux Server Standards

Number of views : 22
Article Number : KB0016229
Published on : 2019-09-30
Last modified : 2019-09-30 21:36:15
Knowledge Base : ESM External

Overview

List of the Base Configuration Standards for Red Hat Enterprise Linux servers supported under the Managed Server Support service. These incorporate minimum security standards from the ISO as well as MSS operational requirements.

Details

What

Why

Systems Management Tools

 

Install/Configure Splunk Universal Forwarder (UF)

Operational, Min Std Sys, 4.6.3

Install/Configure VMware Tools (virtual servers only)

Operational

Install/Configure Domain Manager

Operational, Min Std Crit Sys, 4.6.12

Access and Authorization

 

Set root password to escrowed value

Operational

Provision user accounts for system administrators

Operational

Allow root SSH from Remote Management Hosts (Satellite, Bastion)

Operational

Remote Administration via SSH

 Operational

Administrative/sudo access for System Administrators

Operational 

System Updates

 

Register with Red Hat Satellite Server

Min Std Sys, 4.5.2

Access to base OS packages 

Min Std Sys, 4.5.2 

Secure communication with package repositories

RHEL 7 Hardening

Access to additional channels

Min Std Sys, 4.5.2 

Enable Linux Patch Automation

Operational

Update all installed packages to most current version 

Min Std Sys, 4.5.2

Process Hardening

 

Enable Randomized Virtual Memory Region Placement

RHEL 7 Hardening

OS Hardening

 

Remove deprecated legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; talk, talk-server)

RHEL 7 Hardening

Remove unused operational legacy services (e.g., tftp-server)

Min Std Sys, 4.5.4

Disable any services and applications started by xinetd or inetd that are not being utilized

Min Std Sys, 4.5.4

Remove xinetd, if possible

RHEL 7 Hardening

Disable legacy xinetd services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server)

RHEL 7 Hardening

Disable or remove server services that are not going to be utilized (e.g., FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.)

Min Std Sys, 4.5.4

Disable unused operational services (e.g. dovecot, squid, httpd)

Min Std Sys, 4.5.4

Disable NFS if not in use

Min Std Sys, 4.5.4

Remove the X Window system 

RHEL 7 Hardening 

Disable X Font Server

RHEL 7 Hardening 

Verify SSH service running 

Operational 

Configure SSH for port 22 (default)

Operational 

Set SSH protocol to 2

RHEL 7 Hardening 

Set SSH LogLevel to INFO

RHEL 7 Hardening 

Set SSH PermitEmptyPasswords to No 

RHEL 7 Hardening 

 Disable SSH Root login (except for Bastion Host via SSH Key)

RHEL 7 Hardening 

Logging

 

Configure Network Time Protocol (NTP)

 

Enable system accounting (auditd)

Min Std Sys, 4.6.1

Install and configure rsyslog

Security 

All administrator or root access must be logged

Min Std Sys, 4.6.4

Configure root mail aliases

Operational

Monitoring

 

Configure for Zenoss monitoring via SNMP

Operational

PAM Configuration

 

Ensure that the configuration files for PAM, /etc/pam.d/* are secure

Min Std Sys, 4.5.12

Upgrade password hashing algorithm to SHA-512

RHEL 7 Hardening

Set password creation requirements

RHEL 7 Hardening

Restrict root login (with password) to system console

RHEL 7 Hardening

Warning Banners

 

If network or physical access services are running, ensure the university warning banner is displayed

Min Std Sys, 4.5.10

Standardized Message of the Day (MOTD)

Operational

Secure Boot Settings

 

Set user/group owner to root, and permissions to read and write for root only, on /boot/grub2/grub.cfg

RHEL 7 Hardening

Network Security and Firewall Configuration

 

DNS Records [.its or .austin only]

Operational

Set static ip address/dns for eth0 

Operational 

Disabled firewalld

Operational

Enable iptables 

Operational 

Configure Base Firewall

Min Std Sys, 4.5.1 

Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies

Min Std Sys, 4.5.5

Disable IP forwarding

RHEL 7 Hardening

Disable send packet redirects

RHEL 7 Hardening

Disable source routed packet acceptance

RHEL 7 Hardening

Disable ICMP redirect acceptance

RHEL 7 Hardening

Enable Ignore Broadcast Requests

RHEL 7 Hardening

Enable Bad Error Message Protection

RHEL 7 Hardening

Enable TCP/SYN cookies

RHEL 7 Hardening

System Integrity and Intrusion Detection

 

Configure SELinux in permissive mode

RHEL 7 Hardening

Infrastructure Baseline (Virtual Machine)

 

CPU: 2 vCPU cores

Operational

Disk: 50 GB Tier 1 Virtual Disk (OS)

Operational

Memory: 4 GB RAM

Operational

 

 

Thank You! Your feedback has been submitted.

Feedback