How to Harden RHEL7: Essential Linux Security Hardening Steps

Linux is a free, open‑source Unix‑like operating system widely used for servers, but its security depends on proper configuration. This article demonstrates how to harden a RHEL7 system by improving account security, login control, SELinux settings, and other safeguards.

TCSEC Security Levels

The U.S. Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC) with security classes D, C1, C2, B1, B2, B3, and A1. Modern Linux servers can achieve B1 (mandatory access control) after hardening.

Account Control

System accounts are listed in cat /etc/passwd. To prevent all non‑root accounts from logging in, lock them with:

#!/bin/bash
for user in $(cut -d ':' -f1 /etc/passwd | grep -v "root"); do
    passwd -l $user
done

Password Aging

Adjust password expiration in /etc/login.defs (e.g., PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 7, PASS_WARN_AGE 10).

Password Complexity

Configure /etc/pam.d/system-auth to require at least one digit, one lowercase, one uppercase, one special character, and a minimum length of 10:

password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout

Set an inactivity timeout by adding to /etc/profile:

TMOUT=300
export TMOUT

TTY Attempt Limiting

Limit TTY login attempts with /etc/pam.d/login:

#%PAM-1.0
auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

SSH Port and Root Login

Change the SSH daemon port (e.g., to 65534) and update SELinux policy:

# Port 65534
Port 65534
MaxAuthTries=3

Disable root login and create a regular user with sudo privileges:

useradd lyshark
passwd lyshark
# /etc/sudoers
lyshark ALL=(ALL) ALL
PermitRootLogin no

Login Warning Messages

Edit /etc/motd and /etc/issue.net to display a warning banner for unauthorized access.

Umask Setting

Set a restrictive umask to prevent newly created files from being readable or writable:

echo "umask 0777" >> /etc/bashrc

Lock Critical System Files

Make essential binaries immutable with chattr +i (e.g., /sbin, /usr/lib).

Restrict GCC Compiler

Remove execute permissions from GCC binaries and grant access only to a dedicated group:

chmod 000 /usr/bin/gcc*
groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Protect Log Files

Make log files append‑only so they cannot be deleted:

chattr +a /var/log/secure /var/log/messages

Minimal Firewall Rules

Flush existing rules and allow only SSH and HTTP/HTTPS traffic:

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELinux to enforcing mode:

vim /etc/selinux/config   # set SELINUX=enforcing
setenforce 1

Allow SSH Port in SELinux

Install policycoreutils and add the new SSH port:

yum install -y policycoreutils-python
semanage port -a -t ssh_port_t -p tcp 65534

Set Web Directory Context

Assign the correct SELinux context to web files:

semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html

These steps collectively raise the security posture of a RHEL7 system to meet B1 level requirements.