Red Hat Enterprise Linux 7 Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.
Check √ - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Red Hat Enterprise Linux 7 Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address
IP Address
Machine Name
Asset Tag
Administrator Name
Date

		Preparation and Physical Security
Step	√	To Do	CIS	UT Note	Cat I	Cat II/III	Min Std
1		If machine is a new install, protect it from hostile network traffic until the operating system is installed and hardened.		§	!	!	5.1
2		Set a BIOS/firmware password.			!		4.1
3		Configure the device boot order to prevent unauthorized booting from alternate media.
4		Use the latest version of RHEL possible.	1.7		!	!	5.2
		Filesystem Configuration
5		Create a separate partition with the nodev, nosuid, and noexec options set for /tmp.	1.1.1-.4	§
6		Create separate partitions for /var, /var/log, /var/log/audit, and /home.	1.1.{5,7,8,9}	§
7		Bind mount /var/tmp to /tmp.	1.1.6
8		Set nodev option to /home.	1.1.10
9		Set nodev, nosuid, and noexec options on /dev/shm.	1.1.14-.16
10		Set sticky bit on all world-writable directories.	1.1.17
		System Updates
11		Register with Red Hat Satellite Server so that the system can receive patch updates.	1.2.1	§	!	!	5.2
12		Install the Red Hat GPG key and enable gpgcheck.	1.2.2-.3
		Secure Boot Settings
13		Set user/group owner to root, and permissions to read and write for root only, on /boot/grub2/grub.cfg.	1.5.1-.2	§
14		Set boot loader password.	1.5.3
15		Remove the X Window system.	3.2	§
16		Disable X Font Server.
		Process Hardening
17		Restrict core dumps.	1.6.1	§
18		Enable Randomized Virtual Memory Region Placement.	1.6.2	§	!
		OS Hardening
19		Remove legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server)	2.1.{1,3-10}		!	!
20		Disable any services and applications started by xinetd or inetd that are not being utilized.		§	!	!	5.4
21		Remove xinetd, if possible.	2.1.11	§	!
22		Disable legacy services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server)	2.1.{12-18}		!	!
23		Disable or remove server services that are not going to be utilized (e.g., FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.)			!		5.4
24		Set Daemon umask	3.1
		Network Security and Firewall Configuration
25		Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies.	4.7	§	!	!	5.5
26		Disable IP forwarding.	4.1.1
27		Disable send packet redirects.	4.1.2
28		Disable source routed packet acceptance.	4.2.1