RHEL7-Hardening Tips

The following tips assume that the reader is starting with a default installation of Red Hat Enterprise Linux 7. These rhel7 hardening tips may or may not be applied gracefully for other Linux distributions or modified installations of RHEL.

General Principles

  • Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important
  • Minimize the amount of software installed and running in order to minimize vulnerability.
  • Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
  • Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
  • Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
  • Review system and application logs on a routine basis.
  • Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
  • Never log in directly as root, unless absolutely necessary.
  • Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers , which is edited with thevisudo utility. By default, relevant logs are written to /var/log/secure