Red Hat Enterprise Linux (RHEL)

The following are Delinea recommended best practices for hardening the RHEL distribution running the PRA engine. Customers are responsible for managing their own servers.

System RHEL:

It is recommended that RHEL be a vendor-supported release.

It is recommended that vendor packaged system security patches and updates are installed and up to date.

It is recommended that the rsyslog service is running in RHEL.

For RHEL systems using Domain Name Servers (DNS) resolution, it is recommended that at least two name servers are configured.

It is recommended that RHEL is securely compared to internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network, and/or the Global Positioning System (GPS).

It is recommended that RHEL does not have the telnet-server package installed.

It is recommended that RHEL enables mitigations against processor-based vulnerabilities.

Directories, Files and Permissions:

It is recommended that the /var/log Directory is owned by root, group-owned by root and have mode 0755 or less permissive

It is recommended that the /var/log/messages File is owned by root, group-owned by root and have mode 0640 or less permissive

It is recommended that system commands are owned by root, group-owned by root (or a system account) and must have mode 0755 or less permissive.

It is recommended that library directories are owned by root.

It is recommended that SSH private host key files are mode 0640 or less permissive.

It is recommended that RHEL restricts privilege elevation to authorized personnel.

It is recommended that RHEL prevents the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

Network SSH/OpenSSL:

It is recommended that a firewall is active on RHEL.

It is recommended that an RHEL firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.

It is recommended that RHEL ignores and/or prevents IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

It is recommended that the RHEL operating system implements a DoD-approved encryption to protect the confidentiality of SSH server connections. The RHEL operating system must implement DoD-approved encryption in the OpenSSL package. RHEL must ensure the SSH server uses strong entropy.