With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with ZSys. On older systems where autofs is used, you should mask the autofs service to disable this behavior. On Ubuntu and Debian, the environment file is /etc/default/chrony, and the seccomp filter should already be enabled by default. If decide on using NTS with chronyd, consider using multiple, independent time providers and setting minsources greater than 1.

  • Changing the content of a trusted file or directory changes their checksum, and therefore fapolicyd no longer considers them trusted.
  • While this is generally not a problem, if your threat model calls for anonymity, you should avoid using Snap packages and uninstall snapd.
  • Several projects which aim to tackle this problem are discussed here.
  • If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
  • For those items that you don’t fully understand, follow up by doing more research first instead of just copy-pasting configuration snippets.
  • In addition to securing the BIOS with a password, booting to any external devices should be disabled.
  • Of course, this is bypassable if you or some other applications launch the application directly from /usr/bin/app_name_here instead.

You can solve this denial by adding a corresponding rule to /etc/polkit-1/rules.d/. Note that the system can install the pcsc-lite package as a dependency when you install other packages related to smart cards such as opensc. Install the httpd-manual package to obtain complete documentation linux hardening and security lessons for the Apache HTTP Server, including TLS configuration. The directives available in the /etc/httpd/conf.d/ssl.conf configuration file are described in detail in the /usr/share/httpd/manual/mod/mod_ssl.html file. RHEL provides the OpenSC PKCS #11 driver for smart cards by default.

1 Application sandboxing

The Clevis client should store the state produced by this provisioning operation in a convenient location. It makes a system containing your data available when the system is bound to a certain secure network. You can set up the verifier and registrar, which are the Keylime server components, by using the keylime_server RHEL System Role.

  • You can encrypt a blank block device, which you can use for an encrypted storage by using the LUKS2 format.
  • System hardening is the process of securing a system by reducing possible weaknesses.
  • You can use an Ansible playbook with the logging System Role to configure logging on RHEL servers and set them to receive logs from a remote logging system using TLS encryption.
  • You should stick to the default for each variant (AppArmor for Tumbleweed and SELinux for MicroOS).
  • The oscap tool scans your system, validates security compliance content, and generates reports and guides based on these scans.
  • This is defined in ‘/etc/inittab‘ file, if you look closely in that file you will see a line similar to below.
  • Re-establishing the connection will ensure the IP to be resolved by DNS again.
  • The Clevis client should store the state produced by this provisioning operation in a convenient location.

The leveraging of provisioning state for NBDE by the luksmeta package is used only for volumes encrypted with LUKS1. You can use the storage role to create and configure a volume encrypted with LUKS by running an Ansible playbook. You can encrypt existing data on a block device without creating free space for storing a LUKS header. The header is stored in a detached location, which also serves as an additional layer of security. This mode stores individual checksums of the sectors in the re-encryption area, which the recovery process can detect for the sectors that were re-encrypted by LUKS2. Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

Systemd Sandboxing

The server receives remote input from remote_rsyslog and remote_files and outputs the logs to local files in directories named by remote host names. An application is trusted when it is properly installed by the system package manager, and therefore it is registered in the system RPM database. The fapolicyd daemon uses the RPM database as a list of trusted binaries and scripts.

To ensure that your RHEL system generates and uses all cryptographic keys only with FIPS-approved algorithms, you must switch RHEL to FIPS mode. When installing Red Hat Enterprise Linux 9, https://remotemode.net/ the installation medium represents a snapshot of the system at a particular time. We appreciate your decision to leave a comment and value your contribution to the discussion.

6.1. Configuring client logging with TLS

Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it. Sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor. Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.

This way you always have the option to go back to a previous configuration, if for some reason things fail. This checklist has been created based on our knowledge and additional research. A critical view on any of the suggestions is not just a good idea, but required.

Chapter 1. Securing RHEL during installation

It ensures reliable delivery of event messages and you can use it in environments that do not tolerate any message loss. This procedure creates a private key and certificate, and configures TLS on all hosts in the server group in the Ansible inventory. As an administrator, you can use the logging RHEL System Role to configure a secure transfer of logs using Red Hat Ansible Automation Platform.