Chapter 5. Overview of security practices
The Security Practices tests also known as cloud/security confirm that the image follows a minimum set of standard security practices. They also confirm (but do not require at this time) that the latest Red Hat security updates are installed.
The cloud/security test includes the following subtests:
5.1. Password configuration test
The password configuration test checks that login authentication services are enabled on the HUT, and that the services are using the SHA512 encryption algorithm. The test ensures that the image uses the standard SHA512 encryption and decryption algorithm for optimal security.
For RHEL 8 and 9, it uses the authselect
utility.
Success criteria
- The SHA-512 encryption algorithm is enabled for system authentication.
- The test fails for RHEL 8 and RHEL 9 if the NIS, SSSD, or winbind services are not configured because these services support the SHA-512 algorithm.
5.2. RPM freshness
Confirms that all important and critical security errata released against Red Hat packages that are included in the image are installed. Red Hat encourages you to update and recertify their images whenever an errata is released. This test displays status (REVIEW) at runtime as it requires review at Red Hat to confirm success or failure.
Success criteria
All important and critical security errata released for installed Red Hat packages are current.
Additional resources
- For more information on Red Hat security ratings, refer to Understanding Red Hat security ratings.
5.3. SELinux enforcing subtest
Security-Enhanced Linux (SELinux) Enforcing subtest confirms that SELinux is enabled and running in enforcing mode on the image.
SELinux adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux. SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion. It reduces vulnerability to privilege escalation attacks and limits the damage made during the configuration. If a process becomes compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to.
Success criteria
SELinux is configured and running in enforcing mode on the image.
Additional resources
For more information about SELinux, see:
- RHEL 9: Using SElinux.
- RHEL 8: Using SElinux.