RHEL Security Hardening - AI-Optimized Technical Reference

Critical Configuration Failures

SELinux Configuration Reality

• Default State: RHEL ships with SELinux enforcing mode
• Common Failure: Admins run systemctl disable selinux and get compromised
• Critical Warning: Disabling SELinux eliminates privilege escalation detection
• Real Impact: SELinux denials are security features, not bugs
• Diagnostic Commands:
  • ausearch -m AVC - shows blocked actions
  • sealert -a /var/log/audit/audit.log - explains denials
  • getenforce - check current status

SSH Hardening Breaking Points

• Lockout Prevention: Always test in second terminal before restarting SSH
• Critical Settings:
  • PasswordAuthentication no - eliminates brute force
  • PermitRootLogin no - prevents direct root access
  • Protocol 2 - forces secure protocol
• Testing Command: sshd -t - validates config before restart
• Murphy's Law Factor: SSH lockouts happen during configuration changes

Resource Requirements and Time Investment

Implementation Complexity by Component

Component	Setup Time	Learning Curve	Production Risk
SELinux Basic	1 week	Medium	Low if properly configured
CIS Level 1	2-3 days	Low	Medium (breaks some applications)
SCAP Automation	4-6 hours	Low	High (test in staging first)
Audit Framework	1-2 days	Medium	High (log volume issues)
Kernel Hardening	3-5 days	High	Very High (can break system)

Performance and Operational Impact

• Audit Logging: Generates GB of logs daily in comprehensive mode
• FIPS Mode: Breaks applications using non-approved crypto
• Comprehensive Firewalling: 80% of hardening requirements automated
• Memory Requirements: Audit framework requires significant /var/log space

Production Configuration That Actually Works

Core Security Settings (Production-Tested)

# SELinux - Never Disable
getenforce                    # Must return "Enforcing"
setenforce 1                  # Enable if disabled
audit2allow                   # Create custom policies instead of disabling

# SSH Hardening (Test in second terminal first)
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
sshd -t && systemctl restart sshd

# Firewall (Actually Usable)
firewall-cmd --get-default-zone
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# Filesystem Security (Won't Break Applications)
# /etc/fstab additions:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
tmpfs /var/tmp tmpfs defaults,noexec,nosuid,nodev 0 0

Kernel Security Parameters (/etc/sysctl.d/99-security.conf)

# Network Stack Protection
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1

# Memory Protection
kernel.dmesg_restrict = 1
kernel.yama.ptrace_scope = 1

# IPv6 Disable (unless specifically needed)
net.ipv6.conf.all.disable_ipv6 = 1

Compliance Automation (CIS/SCAP)

SCAP Profile Implementation

# View available profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Apply CIS Level 1 (80% automation success rate)
oscap xccdf eval --profile cis_server_l1 --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Generate compliance reports (for auditors)
oscap xccdf eval --profile cis_server_l1 --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Compliance Framework Comparison

Framework	Automation Level	Application Breaking Risk	Audit Acceptance
CIS Level 1	80% automated	Medium	High
CIS Level 2	60% automated	High	High
DISA STIG	70% automated	Very High	Government only
Custom SCAP	90% automated	Variable	Depends on profile

Critical Failure Modes and Workarounds

SELinux Denial Resolution

• Problem: Applications fail with AVC denials after hardening
• Solution Process:
  1. Check file contexts: restorecon -R /path
  2. Enable required booleans: setsebool httpd_can_network_connect on
  3. Create custom policy: audit2allow -M mypolicy < audit.log
• Time to Resolution: 15-30 minutes for standard applications

FIPS Mode Compatibility Issues

• Breaking Point: Applications using non-FIPS crypto algorithms
• Enable Command: fips-mode-setup --enable (requires reboot)
• Testing Required: Full application stack validation in staging
• No Partial Compliance: FIPS is binary - compliant or not

Container Security Implementation

# Rootless Podman (eliminates root-based attacks)
podman run --read-only --tmpfs /tmp image_name

# SELinux container isolation (mandatory)
# Uses container_t type automatically

# Image scanning before deployment
podman run --rm registry.access.redhat.com/ubi9 oscap-podman

Monitoring and Maintenance Operations

Security Event Detection

• File Integrity Monitoring: AIDE for system files, configuration monitoring
• Log Volume Management: Centralized logging required for audit framework
• Red Hat Insights Integration: Automated vulnerability detection
• Update Frequency: Quarterly config review, immediate vulnerability patches

Troubleshooting Decision Tree

1. SELinux Denial: Check AVC logs → Fix context/boolean → Create policy if needed
2. SSH Lockout: Physical/console access → Revert config → Test in secondary session
3. Application Breakage: Check CIS Level 1 vs Level 2 → Selective remediation
4. Performance Issues: Audit log size → Log rotation configuration → Storage capacity

Resource References (Validated for Production Use)

Essential Documentation

• RHEL Security Hardening Guide - 167 pages, comprehensive coverage
• CIS Benchmarks - Industry standard, proven effective
• SELinux User Guide - Stop disabling SELinux
• SCAP Security Guide - Automated compliance

Critical Tools and Commands

• Security Status: oscap info, getenforce, firewall-cmd --list-all
• Troubleshooting: ausearch -m AVC, sealert, sshd -t
• Automation: audit2allow, restorecon, setsebool
• Monitoring: Red Hat Insights, AIDE, centralized logging

Decision Matrix: When to Use Each Hardening Level

CIS Level 1 (Recommended for Most Production)

• Use When: Standard enterprise environment
• Breaking Risk: Medium (test applications)
• Time Investment: 2-3 days implementation
• Compliance: Meets most audit requirements

CIS Level 2 (High-Security Environments)

• Use When: Handling sensitive data, compliance-critical
• Breaking Risk: High (extensive application testing required)
• Time Investment: 1-2 weeks full implementation
• Operational Cost: Increased support complexity

Custom SCAP Profiles (Enterprise Scale)

• Use When: Multiple systems, specific compliance requirements
• Automation Level: 90% of configuration tasks
• Prerequisites: Configuration management system (Ansible recommended)
• ROI: Positive after 10+ systems