/
Red Hat 8, Centos 8, Oracle 8 Hardening Faz 2 Operation

SecHard

Red Hat 8, Centos 8, Oracle 8 Hardening Faz 2 Operation

 

  • Ensure AIDE is installed (Automated)

AIDE is an integrity checking tool for Linux and other unix-like operating systems. This tool monitors the integrity of the system's files and directories and periodically checks the file integrity database.

In this way, when unauthorised access or changes are made to the system, AIDE detects them and notifies the system administrators.

  • Ensure filesystem integrity is regularly checked (Automated)

This statement is an instruction to ensure that file systems are checked for integrity at regular intervals.

These file systems are the structure in which data is stored and organised in computers.

  • Ensure SELinux is installed (Automated)

SELinux is a security enhancing feature in linux-based operating systems, this feature helps to control access to resources (files, memory, network connections, etc.) in the system by implementing security policies.

  • Ensure SELinux is not disabled in bootloader configuration (Automated)

SELinux requires that the system is not disabled in the pre-install configuration. This statement emphasises that the SElinux security features must not be disabled and that the pre-install configuration must keep this security mechanism enabled.

  • Ensure SELinux policy is configured (Automated)

SElinux configuration settings are made here. The point to be considered is to configure correctly, policy, permissions, restrictions, security controls are handled. In this way, potential security threats in the system are minimised.

  • Ensure the SELinux mode is not disabled (Automated)

SELinux is a security subsystem that enforces security policies on Linux operating systems. SELinux mode can usually be in three different states: Enforcing (enabled), Permissive (permissive) and Disabled (disabled).

If SELinux is enabled on a system, this mode must be either Enforcing or Permissive. These states can be explained as follows:

Enforcing (Enabled): In this mode, SELinux policies are strictly enforced and actions are taken in case of violations. The security level in the system is at the highest level.

Permissive: In this mode, SELinux policies are enforced, but violations are only logged and actions are not taken. This mode can be used when analysing the impact of policies or during development phases.

 

  • Ensure the SELinux mode is enforcing (Automated)

  1. Enforcing (Enabled): In this mode, SELinux policies are strictly enforced and actions are taken in case of violations. The level of security in the system is at the highest level.

  • Ensure SETroubleshoot is not installed (Automated)

SETroubleshoot is a tool for debugging and solving problems with Security-Enhanced Linux (SELinux).

SETroubleshoot provides information about actions that are blocked or limited by SELinux, and assists system administrators in debugging and troubleshooting by presenting this information in a more understandable format.

  • Ensure the MCS Translation Service (mcstrans) is not installed (Automated)

mcstrans is a component used by SELinux to translate and manage the tag information of tagged objects, in particular files. However, there may be cases where, due to certain security requirements or system configuration, such a service may not be desirable.

This instruction refers to checking whether the mcstrans service is installed on the system and removing it if it is installed. System administrators should carefully consider and act in accordance with system requirements before removing such security components.

  • Ensure GNOME Display Manager is removed (Manual)

Refers to making sure that the graphical session manager called GNOME Display Manager (GDM) is removed from the system. GDM is a component for managing graphical sessions on Linux systems, usually using the GNOME desktop environment.

This instruction is intended to check whether GDM is installed on the system and, if so, to uninstall it. GDM typically provides session management for desktop users, and in some cases may not be required in server environments.

  • Ensure GDM login banner is configured (Automated)

GDM is a component that provides graphical session management on Linux systems and typically uses the GNOME desktop environment.

A login banner is an informative message that users see on the login screen. Usually this banner contains system policies, rules, or information notes. The instruction "Ensure GDM login banner is configured" refers to checking that this login banner is arranged and configured in a system-specific way.

  • Ensure last logged in user display is disabled (Automated)

Refers to making sure that the display of the last logged in user is disabled. This is usually a security measure and prevents the name of the last logged in user from being displayed on the login screen or other login mechanism.

  • Ensure XDMCP is not enabled (Automated)

Means to ensure that the protocol called X Display Manager Control Protocol (XDMCP) is not enabled. XDMCP is a protocol that allows remote X Window System clients to connect to an X server and start a remote graphics session.

The X Window System is used to manage graphical user interfaces (GUIs) on many Unix and Linux systems. However, using XDMCP can cause security risks. This protocol can transmit user credentials without encryption and can be clearly visible on the network, which can lead to a potential security problem.

  • Ensure automatic mounting of removable media is disabled (Automated)

This means enabling the automatic disabling of the automatic connection of portable media. This is usually a security measure and means that portable media (USB drives, external discs, SD cards, etc.) inserted into the user's computers are not automatically connected.

  • Ensure sudo commands use pty (Automated)

A pseudoterminal (pty) is a virtual terminal device that provides a terminal-like interface. Some applications or commands expect it to behave like a real terminal. In some cases, sudo commands do not run directly on a terminal, and in this case, problems may arise.

The purpose of the "Ensure sudo commands use pty" instruction is to ensure that sudo commands run using pty. This can help prevent problems that may arise with some applications or commands.

SecHard