Red Hat Enterprise Linux 8 Security hardening

Table of Contents
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
CHAPTER 1. OVERVIEW OF SECURITY HARDENING IN RHEL
1.1. WHAT IS COMPUTER SECURITY?
1.2. STANDARDIZING SECURITY
1.3. CRYPTOGRAPHIC SOFTWARE AND CERTIFICATIONS
1.4. SECURITY CONTROLS
1.4.1. Physical controls
1.4.2. Technical controls
1.4.3. Administrative controls
1.5. VULNERABILITY ASSESSMENT
1.5.1. Defining assessment and testing
1.5.2. Establishing a methodology for vulnerability assessment
1.5.3. Vulnerability assessment tools
1.6. SECURITY THREATS
1.6.1. Threats to network security
1.6.2. Threats to server security
1.6.3. Threats to workstation and home PC security
1.7. COMMON EXPLOITS AND ATTACKS
CHAPTER 2. SECURING RHEL DURING INSTALLATION
2.1. BIOS AND UEFI SECURITY
2.1.1. BIOS passwords
2.1.1.1. Non-BIOS-based systems security
2.2. DISK PARTITIONING
2.3. RESTRICTING NETWORK CONNECTIVITY DURING THE INSTALLATION PROCESS
2.4. INSTALLING THE MINIMUM AMOUNT OF PACKAGES REQUIRED
2.5. POST-INSTALLATION PROCEDURES
CHAPTER 3. USING SYSTEM-WIDE CRYPTOGRAPHIC POLICIES
3.1. SYSTEM-WIDE CRYPTOGRAPHIC POLICIES
Tool for managing crypto policies
Strong crypto defaults by removing insecure cipher suites and protocols
Cipher suites and protocols disabled in all policy levels
Cipher suites and protocols enabled in the crypto-policies levels
3.2. SWITCHING THE SYSTEM-WIDE CRYPTOGRAPHIC POLICY TO MODE COMPATIBLE WITH EARLIER RELEASES
3.3. SWITCHING THE SYSTEM TO FIPS MODE
3.4. ENABLING FIPS MODE IN A CONTAINER
3.5. EXCLUDING AN APPLICATION FROM FOLLOWING SYSTEM-WIDE CRYPTO POLICIES
3.5.1. Examples of opting out of system-wide crypto policies
3.6. CUSTOMIZING SYSTEM-WIDE CRYPTOGRAPHIC POLICIES WITH POLICY MODIFIERS
3.7. CREATING AND SETTING A CUSTOM SYSTEM-WIDE CRYPTOGRAPHIC POLICY
3.8. RELATED INFORMATION
CHAPTER 4. CONFIGURING APPLICATIONS TO USE CRYPTOGRAPHIC HARDWARE THROUGH PKCS #11
4.1. CRYPTOGRAPHIC HARDWARE SUPPORT THROUGH PKCS #11
4.2. USING SSH KEYS STORED ON A SMART CARD
4.3. USING HSMS PROTECTING PRIVATE KEYS IN APACHE AND NGINX
4.4. CONFIGURING APPLICATIONS TO AUTHENTICATE USING CERTIFICATES FROM SMART CARDS
4.5. RELATED INFORMATION
CHAPTER 5. USING SHARED SYSTEM CERTIFICATES
5.1. THE SYSTEM-WIDE TRUST STORE
5.2. ADDING NEW CERTIFICATES
5.3. MANAGING TRUSTED SYSTEM CERTIFICATES
5.4. RELATED INFORMATION
CHAPTER 6. SCANNING THE SYSTEM FOR CONFIGURATION COMPLIANCE AND VULNERABILITIES
6.1. CONFIGURATION COMPLIANCE TOOLS IN RHEL
6.2. VULNERABILITY SCANNING
6.2.1. Red Hat Security Advisories OVAL feed
6.2.2. Scanning the system for vulnerabilities
6.2.3. Scanning remote systems for vulnerabilities
6.3. CONFIGURATION COMPLIANCE SCANNING
6.3.1. Configuration compliance in RHEL 8
6.3.2. Possible results of an OpenSCAP scan
6.3.3. Viewing profiles for configuration compliance
6.3.4. Assessing configuration compliance with a specific baseline
6.4. REMEDIATING THE SYSTEM TO ALIGN WITH A SPECIFIC BASELINE
6.5. REMEDIATING THE SYSTEM TO ALIGN WITH A SPECIFIC BASELINE USING THE SSG ANSIBLE PLAYBOOK
6.6. CREATING A REMEDIATION ANSIBLE PLAYBOOK TO ALIGN THE SYSTEM WITH A SPECIFIC BASELINE
6.7. CREATING A REMEDIATION BASH SCRIPT FOR A LATER APPLICATION
6.8. SCANNING THE SYSTEM WITH A CUSTOMIZED PROFILE USING SCAP WORKBENCH
6.8.1. Using SCAP Workbench to scan and remediate the system
6.8.2. Customizing a security profile with SCAP Workbench
6.8.3. Related information
6.9. DEPLOYING SYSTEMS THAT ARE COMPLIANT WITH A SECURITY PROFILE IMMEDIATELY AFTER AN INSTALLATION
6.9.1. Deploying baseline-compliant RHEL systems using the graphical installation
6.9.2. Deploying baseline-compliant RHEL systems using Kickstart
6.10. SCANNING CONTAINER AND CONTAINER IMAGES FOR VULNERABILITIES
6.11. ASSESSING SECURITY COMPLIANCE OF A CONTAINER OR A CONTAINER IMAGE WITH A SPECIFIC BASELINE
6.12. SUPPORTED VERSIONS OF THE SCAP SECURITY GUIDE IN RHEL
6.13. RELATED INFORMATION
CHAPTER 7. CHECKING INTEGRITY WITH AIDE
7.1. INSTALLING AIDE
7.2. PERFORMING INTEGRITY CHECKS WITH AIDE
7.3. UPDATING AN AIDE DATABASE
7.4. RELATED INFORMATION
CHAPTER 8. ENCRYPTING BLOCK DEVICES USING LUKS
8.1. LUKS DISK ENCRYPTION
8.2. LUKS VERSIONS IN RHEL 8
8.3. OPTIONS FOR DATA PROTECTION DURING LUKS2 RE-ENCRYPTION
8.4. ENCRYPTING EXISTING DATA ON A BLOCK DEVICE USING LUKS2
8.5. ENCRYPTING EXISTING DATA ON A BLOCK DEVICE USING LUKS2 WITH A DETACHED HEADER
8.6. ENCRYPTING A BLANK BLOCK DEVICE USING LUKS2
CHAPTER 9. CONFIGURING AUTOMATED UNLOCKING OF ENCRYPTED VOLUMES USING POLICY-BASED DECRYPTION
9.1. NETWORK-BOUND DISK ENCRYPTION
9.2. INSTALLING AN ENCRYPTION CLIENT - CLEVIS
9.3. DEPLOYING A TANG SERVER WITH SELINUX IN ENFORCING MODE
9.4. ROTATING TANG SERVER KEYS AND UPDATING BINDINGS ON CLIENTS
9.5. DEPLOYING AN ENCRYPTION CLIENT FOR AN NBDE SYSTEM WITH TANG
9.6. REMOVING A CLEVIS PIN FROM A LUKS-ENCRYPTED VOLUME MANUALLY
9.7. DEPLOYING AN ENCRYPTION CLIENT WITH A TPM 2.0 POLICY
9.8. CONFIGURING MANUAL ENROLLMENT OF LUKS-ENCRYPTED VOLUMES
9.9. CONFIGURING AUTOMATED ENROLLMENT OF LUKS-ENCRYPTED VOLUMES USING KICKSTART
9.10. CONFIGURING AUTOMATED UNLOCKING OF A LUKS-ENCRYPTED REMOVABLE STORAGE DEVICE
9.11. DEPLOYING HIGH-AVAILABILITY NBDE SYSTEMS
9.11.1. High-available NBDE using Shamir’s Secret Sharing
9.11.1.1. Example 1: Redundancy with two Tang servers
9.11.1.2. Example 2: Shared secret on a Tang server and a TPM device
9.12. DEPLOYMENT OF VIRTUAL MACHINES IN A NBDE NETWORK
9.13. BUILDING AUTOMATICALLY-ENROLLABLE VM IMAGES FOR CLOUD ENVIRONMENTS USING NBDE
9.14. ADDITIONAL RESOURCES
CHAPTER 10. AUDITING THE SYSTEM
10.1. LINUX AUDIT
10.2. AUDIT SYSTEM ARCHITECTURE
10.3. CONFIGURING AUDITD FOR A SECURE ENVIRONMENT
10.4. STARTING AND CONTROLLING AUDITD
10.5. UNDERSTANDING AUDIT LOG FILES
10.6. USING AUDITCTL FOR DEFINING AND EXECUTING AUDIT RULES
10.7. DEFINING PERSISTENT AUDIT RULES
10.8. USING PRE-CONFIGURED RULES FILES
10.9. USING AUGENRULES TO DEFINE PERSISTENT RULES
10.10. DISABLING AUGENRULES
10.11. RELATED INFORMATION
CHAPTER 11. CONFIGURING AND MANAGING APPLICATION WHITELISTS
11.1. APPLICATION WHITELISTING IN RHEL
11.2. DEPLOYING APPLICATION WHITELISTING
11.3. ADDING CUSTOM RULES FOR APPLICATION WHITELISTING
11.4. TROUBLESHOOTING RHEL APPLICATION WHITELISTING
11.5. ADDITIONAL RESOURCES
CHAPTER 12. PROTECTING SYSTEMS AGAINST INTRUSIVE USB DEVICES
12.1. USBGUARD
12.2. INSTALLING USBGUARD
12.3. BLOCKING AND AUTHORIZING A USB DEVICE USING CLI
12.4. CREATING A CUSTOM POLICY FOR USB DEVICES
12.5. AUTHORIZING USERS AND GROUPS TO USE THE USBGUARD IPC INTERFACE
12.6. LOGGING USBGUARD AUTHORIZATION EVENTS TO THE LINUX AUDIT LOG
12.7. ADDITIONAL RESOURCES