CIS Red Hat Enterprise Linux Benchmark, v1.1 (2008/04) Red Hat Enterprise Linux 5 (RHEL5) CIS Benchmark Version 1.1 April 2008 Copyright 2001-2008, The Center for Internet Security http://cisecurity.org Editor: Joe Wulf, ProSync Technology [email protected] 1 of 137 CIS Red Hat Enterprise Linux Benchmark, v1.1 (2008/04) THIS PAGE INTENTIONALLY LEFT BLANK 2 of 137 CIS Red Hat Enterprise Linux Benchmark, v1.1 (2008/04) [CIS RHEL5 Benchmark] Table of Contents 1 CIS RED HAT ENTERPRISE LINUX 5 BENCHMARK ........................................................... 11 Introduction....................................................................................................................................................... 11 Feedback is welcome ........................................................................................................................................ 11 Applying CIS Benchmark Recommendations .................................................................................................. 11 Audience ........................................................................................................................................................... 12 Applicability ..................................................................................................................................................... 12 Precedence of Benchmark-Compliance Audit .................................................................................................. 12 Partitioning Considerations .............................................................................................................................. 13 Software Package Removal .............................................................................................................................. 14 Backup Key Files .............................................................................................................................................. 14 Executing Actions ............................................................................................................................................. 15 A Root Shell Environment Is Assumed ............................................................................................................ 16 Software Package Installation ........................................................................................................................... 17 Vulnerabilities................................................................................................................................................... 17 SELinux ............................................................................................................................................................ 18 About Bastille ................................................................................................................................................... 18 Reboot Required ............................................................................................................................................... 18 Housekeeping, prepatory to accomplishing the remainder of the Benchmark: ................................................ 19 Conventions ...................................................................................................................................................... 19 2 PATCHES, PACKAGES AND INITIAL LOCKDOWN .............................................................. 21 2.1 Apply Latest OS Patches ............................................................................................................................ 21 2.2 Validate The System Before Making Changes ........................................................................................... 22 2.3 Configure SSH ............................................................................................................................................ 22 2.4 Enable System Accounting ......................................................................................................................... 25 3 MINIMIZE XINETD NETWORK SERVICES ............................................................................. 27 3.1 Disable Standard Services .......................................................................................................................... 27 3.1t - Table of xinetd services (usage of these are deprecated) ........................................................................ 27 3.2 Configure TCP Wrappers and Firewall to Limit Access ............................................................................ 29 3.3 Only Enable telnet, If Absolutely Necessary .............................................................................................. 31 3.4 Only Enable FTP, If Absolutely Necessary ................................................................................................ 32 3.5 Only Enable rlogin/rsh/rcp, If Absolutely Necessary ................................................................................. 33 3.6 Only Enable TFTP Server, If Absolutely Necessary .................................................................................. 34 3.7 Only Enable cyrus-imapd, If Absolutely Necessary ................................................................................... 35 3.8 Only Enable dovcot, If Absolutely Necessary ............................................................................................ 35 4 MINIMIZE BOOT SERVICES ....................................................................................................... 37 4t Table of RHEL5 inetd/boot Services ............................................................................................................ 37 4.1 Set Daemon umask ..................................................................................................................................... 40 4.2 Disable xinetd, If Possible .......................................................................................................................... 40 4.3 Ensure sendmail is only listening to the localhost, If Possible ................................................................... 41 4.4 Disable GUI Login, If Possible................................................................................................................... 42 4.5 Disable X Font Server, If Possible.............................................................................................................. 43 4.6 Disable Standard Boot Services .................................................................................................................. 44 4.7 Only Enable SMB (Windows File Sharing) Processes, If Absolutely Necessary ...................................... 47 3 of 137 CIS Red Hat Enterprise Linux Benchmark, v1.1 (2008/04) 4.8 Only Enable NFS Server Processes, If Absolutely Necessary ................................................................... 48 4.9 Only Enable NFS Client Processes, If Absolutely Necessary .................................................................... 48 4.10 Only Enable NIS Client Processes, If Absolutely Necessary ................................................................... 49 4.11 Only Enable NIS Server Processes, If Absolutely Necessary .................................................................. 49 4.12 Only Enable RPC Portmap Process, If Absolutely Necessary ................................................................. 50 4.13 Only Enable netfs Script, If Absolutely Necessary .................................................................................. 50 4.14 Only Enable Printer Daemon Processes, If Absolutely Necessary ........................................................... 51 4.15 Only Enable Web Server Processes, If Absolutely Necessary ................................................................. 52 4.16 Only Enable SNMP Processes, If Absolutely Necessary ......................................................................... 53 4.17 Only Enable DNS Server Process, If Absolutely Necessary .................................................................... 53 4.18 Only Enable SQL Server Processes, If Absolutely Necessary ................................................................. 54 4.19 Only Enable Squid Cache Server, If Absolutely Necessary ..................................................................... 55 4.20 Only Enable Kudzu Hardware Detection, If Absolutely Necessary ......................................................... 55 5 SYSTEM NETWORK PARAMETER TUNING ........................................................................... 57 5.1 Network Parameter Modifications .............................................................................................................. 57 5.2 Additional Network Parameter Modifications ............................................................................................ 59 6 LOGGING .......................................................................................................................................... 61 6.1 Capture Messages Sent To syslog AUTHPRIV Facility ............................................................................ 61 6.2 Turn On Additional Logging For FTP Daemon ......................................................................................... 62 6.3 Confirm Permissions On System Log Files ...............................................................................................