Contents
- 1 Security Hardening RHEL Linux
- 1.1 Quick take
- 1.2 1. Keep the system updated
- 1.3 2. User accounts and SSH
- 1.4 3. Firewall and SELinux
- 1.5 4. Remove unnecessary packages
- 1.6 5. Logging and auditing
- 1.7 6. Minimise services
- 1.8 7. SELinux and Mandatory Access Control
- 1.9 8. Kernel and sysctl hardening
- 1.10 9. Filesystem protections
- 1.11 10. Security scanning and compliance
- 1.12 11. Monitoring and intrusion detection
- 1.13 Summary
Security Hardening RHEL Linux
Red Hat Enterprise Linux (RHEL) is widely used in enterprises and datacentres. Out of the box it is secure, but further hardening is recommended for production and internet-facing deployments. This guide covers practical steps to harden a RHEL server (8/9).
Quick take
- Goal: Reduce attack surface, enforce least privilege, and improve resilience.
- Approach: Keep packages updated, configure secure authentication, enforce SELinux, and audit activity.
- Scope: Applies to RHEL 8 and RHEL 9 (also compatible with CentOS Stream and Rocky/AlmaLinux).
1. Keep the system updated
sudo dnf update -y
Enable automatic updates for security patches:
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer
2. User accounts and SSH
- Disable root SSH login.
- Use SSH keys instead of passwords.
- Restrict login to specific users.
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
AllowUsers adminuser ansible
sudo systemctl reload sshd
3. Firewall and SELinux
RHEL uses firewalld and SELinux for strong access control.
# Firewall
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# SELinux status
getenforce
# Enforce mode (recommended)
sudo setenforce 1
Tip: Keep SELinux enforcing. If an app misbehaves, adjust policy with audit2allow instead of disabling SELinux.
4. Remove unnecessary packages
Reduce attack surface by removing unused software.
sudo dnf remove -y telnet rsh-server ypbind tftp-server xinetd
sudo dnf autoremove -y
5. Logging and auditing
Enable audit framework and log collection.
sudo dnf install audit audit-libs -y
sudo systemctl enable auditd
sudo systemctl start auditd
Example audit rule (log access to /etc/shadow):
echo "-w /etc/shadow -p wa -k shadow_changes" | sudo tee -a /etc/audit/rules.d/hardening.rules
sudo augenrules --load
6. Minimise services
systemctl list-unit-files --state=enabled
sudo systemctl disable avahi-daemon
sudo systemctl disable cups
Only enable the services you actually need.
7. SELinux and Mandatory Access Control
SELinux is the default MAC system on RHEL and should always remain enabled.
sestatus
# Example: put a service into permissive mode temporarily
sudo semanage permissive -a httpd_t
# Generate policy module from AVC denials
sudo ausearch -m avc -ts recent | audit2allow -M mypol
sudo semodule -i mypol.pp
8. Kernel and sysctl hardening
Apply secure kernel parameters via /etc/sysctl.d/:
# /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv6.conf.all.accept_redirects=0
kernel.randomize_va_space=2
Apply changes: sudo sysctl -p /etc/sysctl.d/99-hardening.conf
9. Filesystem protections
- Use
nodev,nosuid,noexecmount options for temporary and removable filesystems.
# /etc/fstab example
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
10. Security scanning and compliance
- SCAP Security Guide (SSG): RHEL provides tailored CIS/NIST profiles.
sudo dnf install scap-security-guide -y
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
- Lynis: Auditing and hardening suggestions.
sudo dnf install epel-release -y
sudo dnf install lynis -y
sudo lynis audit system
11. Monitoring and intrusion detection
- Enable
fail2banto block brute-force SSH:
sudo dnf install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
- Consider
AIDEorOSSECfor file integrity monitoring.
sudo dnf install aide -y
sudo aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Summary
Hardening RHEL Linux involves:
- Regular patching with
dnfand automation. - Securing accounts and SSH.
- Using
firewalldand SELinux together for access control. - Auditing and minimising running services.
- Applying kernel/sysctl tunings and filesystem restrictions.
- Running compliance scans (SCAP, Lynis) and monitoring for intrusions.
Combine these measures with enterprise tools (Red Hat Satellite, Insights, Ansible Automation Platform) for large-scale enforcement and compliance reporting.