Do not attempt to implement any of the recommendations in this guide without ﬁrst testing in a non-production environment.
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-speciﬁc conﬁgurationconcerns. Care must be taken when implementing this guide to address local operational and policyconcerns.
The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may nottranslate gracefully to other operating systems.
Internet addresses referenced were valid as of 1 Dec 2009.
Red Hat is a registered trademark of Red Hat, Inc. Any other trademarks referenced herein are the property of their respective owners.
Revision 4.1 is an update of Revision 4 dated September 14, 2010.
Added section 126.96.36.199,
Disable All GNOME Thumbnailers if Possible
Added Common Conﬁguration Enumeration (CCE) identiﬁers to associated sections within the guide, anda note about CCE in section 1.2.4,
Updated section 188.8.131.52,
Set Lockouts for Failed Password Attempts
. There is no longer the need to addthe
module into each program’s PAM conﬁguration ﬁle, or to comment out some lines from
module can now be referenced directly from
Corrected section 184.108.40.206.5 title from
Ensure auditd Collects Logon and Logout Events
Record Attempts toAlter Logon and Logout Event Information
Corrected section 220.127.116.11.6 title from
Ensure auditd Collects Process and Session Initiation Information
Record Attempts to Alter Process and Session Initiation Information
The above changes did not aﬀect any of the section numbering.