TickYouOff
Sign in
Back
🔒

RHEL 7 STIG — Free Checklist (24 Items) | TickYouOff

Hard 24 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides general users through key Red Hat Enterprise Linux 7 (RHEL7) STIG hardening tasks to improve system security and compliance. It’s designed for system administrators and IT staff who need a practical, ordered set of actions to apply DISA STIG recommendations and run SCAP checks.

Source: https://ncp.nist.gov/checklist/796

Progress
0 / 24
  1. Update system packages and apply security patches — Run yum update and reboot if kernel or core packages were updated.
  2. Configure SELinux to enforcing mode and persist settings — Ensure /etc/selinux/config has SELINUX=enforcing and relabel if changed.
  3. Configure SSH daemon settings — Edit /etc/ssh/sshd_config and restart sshd after changes.
  4. Disable root login via SSH (PermitRootLogin no) — Set PermitRootLogin no in sshd_config to prevent direct root access.
  5. Enforce SSH Protocol 2 and strong ciphers — Ensure Protocol 2 and specify strong Ciphers/KexAlgorithms/MACs.
  6. Disable empty passwords and increase SSH logging — Set PermitEmptyPasswords no and LogLevel INFO in sshd_config.
  7. Enable and configure firewalld to restrict inbound traffic — Open only required ports and set default zone to drop or deny.
  8. Identify unnecessary services to disable — Inventory active services with systemctl list-units --type=service.
  9. List active system services for review — Use systemctl or chkconfig to gather services running at boot.
  10. Stop and disable identified unwanted services — Use systemctl stop <svc> && systemctl disable <svc> for each service.
  11. Set password complexity and aging policies — Configure pam_pwquality and /etc/login.defs for min length and aging.
  12. Configure sudoers to restrict elevated access — Remove NOPASSWD entries and limit sudo to necessary users/groups.
  13. Secure file permissions for critical system files — Verify ownership and permissions for /etc/passwd, /etc/shadow, /etc/gshadow.
  14. Verify /etc/shadow and /etc/passwd permissions — Ensure /etc/shadow is 0000/600 and owned by root:root as appropriate.
  15. Enable and configure auditd to capture system events — Start auditd and enable service; persist rules in /etc/audit/rules.d.
  16. Add audit rules for privileged actions and system calls — Include rules for su/sudo, permission changes, and network configuration.
  17. Install SCAP content and DISA RHEL7 STIG XCCDF/OVAL — Obtain DISA SCAP/XCCDF content and install openscap/oscanner packages.
  18. Run OpenSCAP or SCAP scan and generate a compliance report — Execute oscap xccdf eval and save HTML/XML results for review.
  19. Review scan results and apply STIG remediations by severity — Prioritize high-severity findings, patch, and update configs; re-scan after fixes.
  20. Configure system time synchronization (chrony or ntpd) — Ensure accurate time with chronyd enabled and configured to trusted NTP servers.
  21. Remove or disable legacy/unneeded network protocols and daemons — Uninstall or disable telnet, ftp, rsh and other legacy services.
  22. Restrict cron and at usage to authorized users — Validate /etc/cron.allow, /etc/cron.deny and /etc/at.allow settings.
  23. Backup configuration files and document changes — Store copies of altered files and record change rationale and dates.
  24. Schedule regular compliance scans and routine updates — Automate periodic SCAP scans and patching cadence to maintain compliance.
Sign in to save
📝 My Notes