Ensure SELinux State is Enforcing
The SELinux state should be set to 'enforcing' at
system boot time. In the file '/etc/selinux/config', add or correct the
following line to configure the system to boot into enforcing mode:
Disable Host-Based Authentication
SSH's cryptographic host-based authentication is
more secure than '.rhosts' authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the
following line in '/etc/ssh/sshd_config':
Ensure gpgcheck Enabled In Main Yum Configuration
The 'gpgcheck' option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in '/etc/yum.conf' in
the '[main]' section:
Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in '/etc/ssh/sshd_config'
demonstrates use of FIPS-approved ciphers:
The man page 'sshd_config(5)' contains a list of supported ci ...