Ensure gpgcheck Enabled For All Yum Package Repositories
To ensure signature checking is not disabled for
any repos, remove any lines from files in '/etc/yum.repos.d' of the form:
'gpgcheck=0'
Set the GNOME3 Login Warning Banner Text
To set the text shown by the GNOME3 Display Manager
in the login screen, the 'banner-message-text' setting must be set under an
appropriate configuration file(s) in the '/etc/dconf/db/gdm.d' directory and locked
in '/etc/dconf/db/gdm.d/locks' directory to prevent user modification.
After the settings have been set, run 'dconf update'.
When entering a war ...
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
'$ sudo rhn_register'
If the system is not connected to the Internet or an RHN Satellite,
then install the Red Hat GPG key from tru ...
Ensure /var/log Located On Separate Partition
System logs are stored in the '/var/log' directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
Enable GNOME3 Login Warning Banner
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the 'banner-message-enable' setting must be
set under an appropriate configuration file(s) in the '/etc/dconf/db/gdm.d' directory
and locked in '/etc/dconf/db/gdm.d/locks' directory to prevent user modification.
After the settings have been set, run 'dconf update'.
To dis ...
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the '/var/log/audit' directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
System Audit Logs Must Have Mode 0640 or Less Permissive
Change the mode of the audit log files with the following command:
'$ sudo chmod 0640 audit_file'
Prevent Log In to Accounts With Empty Password
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the 'nullok'
option in '/etc/pam.d/system-auth' to
prevent logins with empty passwords.
Verify /boot/grub2/grub.cfg Permissions
File permissions for '/boot/grub2/grub.cfg' should be set to 600.
To properly set the permissions of '/boot/grub2/grub.cfg', run the command:
Verify that System Executables Have Restrictive Permissions
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable.
If any file