Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial RHEL 10 e8 Profile #11976

Merged
merged 3 commits into from
May 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
177 changes: 177 additions & 0 deletions controls/e8.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@
id: 'e8'
policy: 'e8'
source: 'https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Hardening%20Linux%20Workstations%20and%20Servers%20%28November%202023%29.pdf'
title: 'Australian Cyber Security Centre (ACSC)'
levels:
- id: base

controls:
- id: 'patching'
levels:
- base
title: 'Application and operating system patching'
rules:
- package_talk_removed
- package_talk-server_removed
Mab879 marked this conversation as resolved.
Show resolved Hide resolved
- package_ypbind_removed
- package_telnet_removed
- service_telnet_disabled
- package_telnet-server_removed
- package_rsh_removed
- package_rsh-server_removed
- package_quagga_removed
- service_avahi-daemon_disabled
- package_squid_removed
- service_squid_disabled
- ensure_redhat_gpgkey_installed
- ensure_gpgcheck_never_disabled
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_globally_activated
- security_patches_up_to_date
- dnf-automatic_security_updates_only
status: automated

- id: 'mfa'
levels:
- base
title: 'Multi-factor authentication'
status: manual

- id: 'restrict_admin'
levels:
- base
title: 'Restricting administrative privileges'
rules:
- accounts_no_uid_except_zero
- sudo_remove_nopasswd
- sudo_remove_no_authenticate
- sudo_require_authentication

status: partial

- id: 'app_control'
levels:
- base
title: 'Application control'
rules:
- package_fapolicyd_installed
- service_fapolicyd_enabled
status: partial

- id: 'restrict_macros'
levels:
- base
title: 'Restrict Microsoft Office macros'
status: not applicable

- id: 'app_hardening'
levels:
- base
title: 'User application hardening'
status: pending

- id: 'backups'
levels:
- base
title: 'Regular backups'
rules:
- package_rear_installed
status: partial

- id: 'hardening'
levels:
- base
title: 'General hardening of {{{ full_name }}}'
rules:
- var_system_crypto_policy=default_nosha1
- configure_crypto_policy
- configure_ssh_crypto_policy
### Secure access
Mab879 marked this conversation as resolved.
Show resolved Hide resolved
- sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_disable_gssapi_auth
- sshd_print_last_log
- sshd_do_not_permit_user_env
- sshd_disable_rhosts
- sshd_set_loglevel_info
- sshd_disable_empty_passwords
- sshd_disable_user_known_hosts
- sshd_enable_strictmodes
### Audit
- package_rsyslog_installed
- service_rsyslog_enabled
- service_auditd_enabled
- var_auditd_flush=incremental_async
- auditd_data_retention_flush
- auditd_local_events
- auditd_write_logs
- auditd_log_format
- auditd_freq
- auditd_name_format
- audit_rules_login_events_tallylog
- audit_rules_login_events_faillock
- audit_rules_login_events_lastlog
- audit_rules_login_events
- audit_rules_time_adjtimex
- audit_rules_time_clock_settime
- audit_rules_time_watch_localtime
- audit_rules_time_settimeofday
- audit_rules_time_stime
- audit_rules_execution_restorecon
- audit_rules_execution_chcon
- audit_rules_execution_semanage
- audit_rules_execution_setsebool
- audit_rules_execution_setfiles
- audit_rules_execution_seunshare
- audit_rules_sysadmin_actions
- audit_rules_networkconfig_modification
- audit_rules_usergroup_modification
- audit_rules_dac_modification_chmod
- audit_rules_dac_modification_chown
- audit_rules_kernel_module_loading

### System security settings
- sysctl_kernel_randomize_va_space
- sysctl_kernel_exec_shield
- sysctl_kernel_kptr_restrict
- sysctl_kernel_dmesg_restrict
- sysctl_kernel_kexec_load_disabled
- sysctl_kernel_yama_ptrace_scope
- sysctl_kernel_unprivileged_bpf_disabled
- sysctl_net_core_bpf_jit_harden

### SELinux
- var_selinux_state=enforcing
- selinux_state
- var_selinux_policy_name=targeted
- selinux_policytype

### Filesystem integrity
- rpm_verify_hashes
- rpm_verify_permissions
- rpm_verify_ownership
- file_permissions_unauthorized_sgid
- file_permissions_unauthorized_suid
- file_permissions_unauthorized_world_writable
- dir_perms_world_writable_sticky_bits
- file_permissions_library_dirs
- file_ownership_binary_dirs
- file_permissions_binary_dirs
- file_ownership_library_dirs

### Passwords
- var_authselect_profile=sssd
- enable_authselect
- no_empty_passwords

### Partitioning
- mount_option_dev_shm_nodev
- mount_option_dev_shm_nosuid
- mount_option_dev_shm_noexec

### Network
- package_firewalld_installed
- service_firewalld_enabled
- network_sniffer_disabled

status: partial # Always will be partial as more could be done
42 changes: 42 additions & 0 deletions products/rhel10/profiles/e8.profile
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
documentation_complete: true

metadata:
SMEs:
- shaneboulden
- tjbutt58

reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

title: 'Australian Cyber Security Centre (ACSC) Essential Eight'

description: |-
This profile contains configuration checks for Red Hat Enterprise Linux 10
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the
ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

selections:
- e8:all
# audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
# use only package_audispd-plugins_installed
- '!package_audit-audispd-plugins_installed'
# More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
# https://github.com/ComplianceAsCode/content/issues/11285
- '!rpm_verify_permissions'
- '!package_talk_removed'
- '!package_talk-server_removed'
- '!package_ypbind_removed'
- '!package_audit-audispd-plugins_installed'
- '!set_ipv6_loopback_traffic'
- '!set_loopback_traffic'
- '!service_ntpd_enabled'
- '!package_ypserv_removed'
- '!package_ypbind_removed'
- '!package_talk_removed'
- '!package_talk-server_removed'
- '!package_xinetd_removed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
Loading