/
Red Hat 8, Centos 8, Oracle 8 Hardening Faz 3 Operation

SecHard

Red Hat 8, Centos 8, Oracle 8 Hardening Faz 3 Operation

  • Verify if IPv6 is enabled on the system (Manual)

It is the recipe used to manually check whether IPv6 is enabled on the system.

  • Ensure SCTP is disabled (Automated)

SCTP is a transport protocol used primarily in telecommunications applications and was developed as an alternative to other transport protocols such as TCP and UDP.

This instruction aims to disable SCTP in order to improve system security or to implement a specific security policy. Disabling SCTP can be important to switch off unnecessary services and reduce potential security weaknesses.

  • Ensure DCCP is disabled (Automated)

DCCP is a transport protocol that is often used as an alternative to other transport protocols such as TCP and UDP.

This instruction aims to disable DCCP in order to improve system security, to switch off unnecessary services, or to enforce a specific security policy. Such measures can improve system security by reducing system surface area and limiting potential vulnerabilities.

  • Ensure wireless interfaces are disabled (Automated)

Refers to an instruction to ensure that wireless network interfaces are disabled on a system. This instruction aims to disable wireless communication in order to enforce security policies, reduce potential security risks, or switch off unnecessary network services.

Disabling wireless network interfaces is generally preferable in server environments or security-oriented systems. In such systems, wireless connections may pose a security risk and can be disabled when not in use, reducing the attack surface.

  • Ensure IP forwarding is disabled (Automated)

This instruction is intended to disable IP routing, usually to implement security policies, to reduce potential security risks, or to better control network traffic.

IP routing is a feature that enables a network device to receive incoming packets on one network interface and send them on another network interface. However, when a system is configured as a particularly security-oriented system or a server that does not need routing functionality, disabling IP routing may be advisable from a security perspective.

  • Ensure packet redirect sending is disabled (Automated)

Refers to an instruction to ensure that packet redirect is disabled on a system. This instruction is usually intended to disable packet routing to enforce security policies, reduce potential security risks, or better control network traffic.

Packet routing is a feature that enables a network device to receive an incoming packet from one network interface and send it to another network interface. However, in certain situations, this feature can be a breeding ground for malicious attacks. Therefore, it may be advisable to disable packet forwarding in a security-oriented system or in a server configuration that does not need forwarding.

  • Ensure source routed packets are not accepted (Automated)

Refers to an instruction to ensure that source-routed packets are not accepted on a system. This instruction is usually aimed at not accepting source-routed packets in order to enforce security policies, mitigate potential security risks, or prevent certain network attacks.

Source-routed packets are packets that contain a route (routing path) specified by the sender and are forwarded to the destination via this route. This feature can cause security vulnerabilities on the network and facilitate malicious attacks.

  • Ensure ICMP redirects are not accepted (Automated)

Refers to an instruction to ensure that ICMP (Internet Control Message Protocol) routes are not accepted on a system. This instruction is often used to enforce security policies, mitigate potential security risks, or protect against certain types of network attacks.

  • Ensure secure ICMP redirects are not accepted (Automated)

Refers to an instruction to ensure that secure ICMP (Internet Control Message Protocol) routes are not accepted on a system. This instruction is often used to enforce security policies, mitigate potential security risks, or protect against certain types of network attacks.

  • Ensure suspicious packets are logged (Automated)

Refers to an instruction to ensure that suspicious packets are recorded on a system. This instruction is often used to increase security-related measures, monitor network anomalies and identify potential security breaches.

  • Ensure broadcast ICMP requests are ignored (Automated)

In a system, broadcast refers to an instruction to ensure that ICMP requests are ignored. This instruction is often used to improve network security, reduce network traffic and prevent potential security risks.

  • Ensure bogus ICMP responses are ignored (Automated)

Refers to a security measure that focuses on directing a computer system or network infrastructure to detect situations where ICMP (Internet Control Message Protocol) responses are bogus or erroneous and to ignore such responses. ICMP is a protocol that manages communication between networks and is specifically used to send error messages.

  • Ensure Reverse Path Filtering is enabled (Automated)

Refers to a setting applied to network devices or systems as a security measure. This setting is called "Reverse Path Filtering" (RPF) and is usually related to network security. It refers to the automatic enabling and verification of RPF as part of the security configuration.

Reverse Path Filtering is a security measure that controls whether the interface on which packets are received can return to the source address of those packets. When enabled, a network device or system checks whether the best path to the source address of an incoming packet would normally return to the interface from which that packet was received. If this path is not correct, the packet is rejected or processed with low priority.

  • Ensure TCP SYN Cookies is enabled (Automated)

In the context of network or system security, it refers in particular to an automated security measure to enable TCP (Transmission Control Protocol) SYN (Synchronise) Cookies.

TCP SYN Cookies is a technique used as a defence mechanism against SYN Flooding attacks. SYN Flooding attacks are a type of DDoS (Distributed Denial of Service) attack in which an attacker sends a large number of TCP connection requests to a target server, attempting to exhaust its resources and deny service.

  • Ensure IPv6 router advertisements are not accepted (Automated)

In a network or system security context, IPv6 (Internet Protocol version 6) refers to an automated security measure to ensure that router advertisements are not accepted.

IPv6 is an internet protocol that is the successor to IPv4 and is commonly used in modern networks. The IPv6 network can transmit network configuration and routing information to devices through IPv6 router advertisements. However, a malicious attacker has the potential to interfere with the network using this feature.

  • Ensure firewalld is a (Automated)

firewalld is a firewall management tool for a Linux system. A firewall is used to control the ingress and egress traffic of a computer or network and to regulate allowed or blocked connections. firewalld is a widely used tool, especially in distributions such as CentOS, Fedora and RHEL (Red Hat Enterprise Linux).

Enable:

"Ensure firewalld is enabled" means that firewalld is enabled. Enabling ensures that the firewall is operational.

  • Ensure iptables-services not installed with firewalld (Automated)

This statement is intended to ensure that the firewall management service iptables-services is not installed with firewalld. That is, if firewalld is installed on the system, it automatically checks that iptables-services is not installed at the same time.

This security measure is used to prevent conflicting or cancelling firewall services from being installed and to enforce a consistent security policy on the system. Two different firewall services running at the same time can cause problems, so this type of check is important.

  • Ensure nftables either not installed or masked with firewalld (Automated)

This statement indicates that the firewall management system nftables should either not be installed at all or should be masked from use with firewalld. That is, if firewalld is installed on the system, at the same time the nftables service should either not be installed at all or should be set to be unavailable to firewalld.

This check is used to prevent conflicting or cancelling firewall services from being installed and to enforce a consistent security policy on the system. If firewalld is used, it is important for security that nftables is either not present on the system or cannot be run without conflicting with firewalld.

  • Ensure firewalld service enabled and running (Automated)

This statement is intended to ensure that the firewalld service is enabled and running. That is, if firewalld is installed on the system, this service should be started automatically and set to start automatically when the system is restarted.

  • Ensure firewalld default zone is set (Automated)

This statement is intended to ensure that the default zone of firewalld is set. That is, if a default zone is set, it is automatically used.

This control ensures that security policies and rules are applied consistently. Setting the default zone ensures that traffic is handled according to a certain level of security. For example, you can assign traffic to the internal network to one security level and traffic to the external network to a different security level. This makes it easier to apply security policies based on a specific zone.

  • Ensure nftables is installed (Automated)

This statement indicates that nftables must be installed on the system.

  • Ensure firewalld is either not installed or masked with nftables

This statement is intended to ensure that firewalld is either not installed on the system or is set to be masked so that it cannot be used with nftables. That is, if nftables is used on the system, firewalld should not be installed or should be set not to be used with nftables.

  • Ensure iptables-services not installed with nftables

This statement is intended to ensure that iptables-services is not installed on the system or used together with nftables. That is, if nftables is used on the system, iptables-services should not be installed at the same time.

  • Ensure iptables are flushed with nftables

This statement means that if nftables is to be used on the system, iptables rules are flushed and existing iptables rules are disabled. That is, when nftables is started to be used, old iptables rules and configurations are cancelled.

  • Ensure an nftables table exists

This statement aims to ensure that a specific "table" exists if nftables is used on the system. That is, it checks whether nftables has a table containing the rules used to manage a particular traffic.

  • Ensure nftables base chains exist

If nftables is used on the system, this statement checks whether base chains for a given table exist, and if not, aims to ensure that they are created.

This check verifies the existence of base chains containing rules organised for basic types of network traffic or for specific purposes. If the expected base chains are not present in a given table, this check can automatically create them or intervene by alerting the system administrator. This can help to structure security policies in an organised and consistent way.

  • Ensure nftables outbound and established connections are configured

This statement aims to ensure that if nftables is used in the system, certain security rules (configurations) are configured for outgoing connections and established connections. That is, it controls that the security policies for outgoing connections and established connections with nftables are in a specific structure.

  • Ensure nftables default deny firewall policy

If using nftables, this statement is intended to ensure that the firewall's default policy is "deny". That is, the system denies incoming network traffic by default and regulates this traffic with rules specific to traffic from specific, trusted sources or traffic that is permitted for specific purposes.

  • Ensure nftables service is enabled

This statement aims to ensure that the nftables service is enabled on the system. This means that nftables should run automatically when the system starts and perform its firewalling task.

  • Ensure iptables packages are installed

This statement is intended to ensure that iptables packages are installed on the system. This means that iptables is installed and available.

  • Ensure nftables is not installed with iptables 

This statement aims to ensure that nftables is not installed if iptables is used on the system. That is, it controls that nftables is not installed at the same time in an environment where iptables is used.

  • Ensure firewalld is either not installed or masked with iptables

This statement is intended to ensure that if iptables is used on the system, firewalld is not installed, or if it is installed, it is masked so that it cannot be used with iptables.

  • Ensure iptables loopback traffic is configured

 This statement aims to ensure that iptables has configured rules that regulate and allow loopback traffic. That is, it aims to ensure that iptables is configured correctly so that a local computer can communicate with itself or with services running on the same computer.

  • Ensure iptables outbound and established connections are configured

This statement is intended to provide a state in which iptables can regulate and configure certain security rules for outgoing connections and established connections. That is, it aims to ensure that iptables is correctly configured to control traffic allowed or blocked for connections exiting the internal network to the external network and for connections that are already established.

  • Ensure iptables default deny firewall policy

 This statement is intended to ensure that iptables' default firewall policy is "deny". That is, the system denies incoming network traffic by default and regulates that traffic with rules specific to traffic from specific, trusted sources or traffic that is permitted for specific purposes.

  • Ensure iptables is enabled and active

This statement aims to ensure that iptables is enabled and currently running. That is, it checks that the firewall feature iptables is enabled and running on the system.

  • Ensure ip6tables loopback traffic is configured

This statement aims to ensure that ip6tables is configured with rules that regulate and allow loopback traffic. That is, it aims to ensure that ip6tables is configured correctly so that a local computer can communicate over IPv6 with itself or with services running on the same computer.

  • Ensure ip6tables outbound and established connections are configured

This statement is intended to ensure that ip6tables is in a state that organises and configures certain security rules for outgoing connections and established connections. That is, it is intended to ensure that ip6tables is properly configured to control traffic allowed or blocked for connections exiting the internal network to the external network and for connections that are already established.

  • Ensure ip6tables default deny firewall policy

This statement is intended to ensure that ip6tables' default firewall policy is "deny". That is, the system denies incoming IPv6 traffic by default and regulates that traffic with rules specific to traffic from specific, trusted sources or traffic that is permitted for specific purposes.

  • Ensure ip6tables is enabled and active

This statement is intended to ensure that ip6tables is enabled and currently active. That is, it checks that ip6tables must be correctly configured and active in order to control IPv6 traffic and enforce security policies.

 

SecHard