Home / Security

Security

SELinux, SSH hardening, Fail2Ban, auditd, firewalld, CIS benchmarks, and security auditing on RHEL 10.

SELinux

SELinux (Security-Enhanced Linux) provides mandatory access control. RHEL 10 enables it by default in enforcing mode.

# Check SELinux status
getenforce
sestatus

# View mode in config
grep SELINUX /etc/selinux/config

# Change to permissive (non-destructive)
sudo setenforce 0

# Restore file contexts after moving files
sudo restorecon -Rv /var/www/html

# Check file context
ls -lZ /etc/passwd

# Troubleshoot denials
sudo ausearch -m avc -ts recent
sudo sealert -a /var/log/audit/audit.log

# Generate and install a custom policy
sudo ausearch -c 'httpd' --raw | audit2allow -M myhttpd
sudo semodule -i myhttpd.pp

SSH Hardening

# Edit /etc/ssh/sshd_config
# Key settings to apply:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy admin

# Apply changes
sudo systemctl reload sshd

# Generate key pair (client side)
ssh-keygen -t ed25519 -C "admin@server"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

Fail2Ban

# Install
sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

# Create jail.local
sudo tee /etc/fail2ban/jail.local <<'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
bantime = 7200
maxretry = 3
EOF

# Reload and verify
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

Audit Framework

# Install audit
sudo dnf install -y audit audit-libs

# Watch critical files
sudo auditctl -w /etc/passwd -p wa -k identity
sudo auditctl -w /etc/shadow -p wa -k identity
sudo auditctl -w /etc/sudoers -p wa -k sudoers
sudo auditctl -w /etc/selinux/ -p wa -k selinux

# Make rules persistent in /etc/audit/rules.d/
sudo tee /etc/audit/rules.d/important.rules <<'EOF'
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /usr/sbin/useradd -p x -k user_mod
-w /usr/sbin/userdel -p x -k user_mod
-w /usr/sbin/groupadd -p x -k group_mod
-w /usr/sbin/groupdel -p x -k group_mod
EOF

# Query logs
sudo ausearch -k identity
sudo aureport --user --summary

Firewall Rules

# Default zone: block all incoming, allow outgoing
sudo firewall-cmd --set-default-zone=public

# Allow only SSH
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --remove-service=dhcpv6-client
sudo firewall-cmd --reload

# IP-based access control
sudo firewall-cmd --permanent --new-zone=trusted
sudo firewall-cmd --permanent --zone=trusted --add-source=10.0.0.0/8
sudo firewall-cmd --permanent --zone=trusted --add-service=ssh
sudo firewall-cmd --permanent --zone=trusted --add-service=http
sudo firewall-cmd --reload

# Emergency lockdown (use firewalld, not iptables directly)
# iptables bypasses firewalld's nftables backend in RHEL 10
sudo firewall-cmd --panic-on

# To disable panic mode:
sudo firewall-cmd --panic-off

CIS Benchmark

# Install OpenSCAP (ships with RHEL 10)
sudo dnf install -y openscap-scanner scap-security-guide

# Run CIS profile evaluation
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server \
  --results cis-results.xml \
  /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

# Generate human-readable report
sudo oscap xccdf generate guide \
  /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml > cis-guide.html

# Generate remediation script (shell)
sudo oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_server \
  --fix-type shell /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml > cis-remediate.sh

Password & User Policy

# Enforce password complexity via pam_pwquality
# Edit /etc/security/pwquality.conf:
minlen = 14
minclass = 4
diffchars = 8
maxrepeat = 2

# Password aging
sudo chage -M 90 -W 14 -m 7 username

# Lock unused accounts
sudo usermod -L inactive_user

# Remove sudo from unnecessary users
sudo gpasswd -d username wheel

# List users with login shells
cat /etc/passwd | grep -v nologin | grep -v /bin/false

Package Security

# Security advisories are built into dnf in RHEL 10 (no separate plugin needed)

# List all available security updates
sudo dnf updateinfo list updates security

# Install security updates only
sudo dnf upgrade --security

# Check CVE details
sudo dnf updateinfo info CVE-2024-1234

# GPG key verification (enabled by default in RHEL)
sudo rpm -qa gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}(%{SUMMARY})\n'
📚 Reference

RHEL 10 Security Guide · CIS Benchmarks · SCAP Security Guide