From 39811f76192de54f651c7baacb3881cb9f34a9c3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 8 May 2024 15:47:17 -0500 Subject: [PATCH 1/3] Add e8 control file --- controls/e8.yml | 177 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 controls/e8.yml diff --git a/controls/e8.yml b/controls/e8.yml new file mode 100644 index 00000000000..7656fb7aec3 --- /dev/null +++ b/controls/e8.yml @@ -0,0 +1,177 @@ +id: 'e8' +policy: 'e8' +source: 'https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Hardening%20Linux%20Workstations%20and%20Servers%20%28November%202023%29.pdf' +title: 'Australian Cyber Security Centre (ACSC)' +levels: + - id: base + +controls: + - id: 'patching' + levels: + - base + title: 'Application and operating system patching' + rules: + - package_talk_removed + - package_talk-server_removed + - package_ypbind_removed + - package_telnet_removed + - service_telnet_disabled + - package_telnet-server_removed + - package_rsh_removed + - package_rsh-server_removed + - package_quagga_removed + - service_avahi-daemon_disabled + - package_squid_removed + - service_squid_disabled + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_globally_activated + - security_patches_up_to_date + - dnf-automatic_security_updates_only + status: automated + + - id: 'mfa' + levels: + - base + title: 'Multi-factor authentication' + status: manual + + - id: 'restrict_admin' + levels: + - base + title: 'Restricting administrative privileges' + rules: + - accounts_no_uid_except_zero + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - sudo_require_authentication + + status: partial + + - id: 'app_control' + levels: + - base + title: 'Application control' + rules: + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: partial + + - id: 'restrict_macros' + levels: + - base + title: 'Restrict Microsoft Office macros' + status: not applicable + + - id: 'app_hardening' + levels: + - base + title: 'User application hardening' + status: pending + + - id: 'backups' + levels: + - base + title: 'Regular backups' + rules: + - package_rear_installed + status: partial + + - id: 'hardening' + levels: + - base + title: 'General hardening of {{{ full_name }}}' + rules: + - var_system_crypto_policy=default_nosha1 + - configure_crypto_policy + - configure_ssh_crypto_policy + ### Secure access + - sshd_use_directory_configuration + - sshd_disable_root_login + - sshd_disable_gssapi_auth + - sshd_print_last_log + - sshd_do_not_permit_user_env + - sshd_disable_rhosts + - sshd_set_loglevel_info + - sshd_disable_empty_passwords + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + ### Audit + - package_rsyslog_installed + - service_rsyslog_enabled + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_local_events + - auditd_write_logs + - auditd_log_format + - auditd_freq + - auditd_name_format + - audit_rules_login_events_tallylog + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_execution_restorecon + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_execution_setfiles + - audit_rules_execution_seunshare + - audit_rules_sysadmin_actions + - audit_rules_networkconfig_modification + - audit_rules_usergroup_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_kernel_module_loading + + ### System security settings + - sysctl_kernel_randomize_va_space + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_net_core_bpf_jit_harden + + ### SELinux + - var_selinux_state=enforcing + - selinux_state + - var_selinux_policy_name=targeted + - selinux_policytype + + ### Filesystem integrity + - rpm_verify_hashes + - rpm_verify_permissions + - rpm_verify_ownership + - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits + - file_permissions_library_dirs + - file_ownership_binary_dirs + - file_permissions_binary_dirs + - file_ownership_library_dirs + + ### Passwords + - var_authselect_profile=sssd + - enable_authselect + - no_empty_passwords + + ### Partitioning + - mount_option_dev_shm_nodev + - mount_option_dev_shm_nosuid + - mount_option_dev_shm_noexec + + ### Network + - package_firewalld_installed + - service_firewalld_enabled + - network_sniffer_disabled + + status: partial # Always will be partial as more could be done From c1ca8e38f31e2b74460a0a8ba53dc88fe6a52542 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 8 May 2024 15:47:48 -0500 Subject: [PATCH 2/3] Add RHEL 10 e8 Profile --- products/rhel10/profiles/e8.profile | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 products/rhel10/profiles/e8.profile diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile new file mode 100644 index 00000000000..d9899ece0f8 --- /dev/null +++ b/products/rhel10/profiles/e8.profile @@ -0,0 +1,22 @@ +documentation_complete: true + +metadata: + SMEs: + - shaneboulden + - tjbutt58 + +reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +title: 'Australian Cyber Security Centre (ACSC) Essential Eight' + +description: |- + This profile contains configuration checks for Red Hat Enterprise Linux 9 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the + ACSC website: + + https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +selections: + - e8:all From dbc0e42a1cf27ef54ce90c4378385896d34d2a62 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 10 May 2024 13:42:36 -0500 Subject: [PATCH 3/3] Add RHEL 10 excludes for e8 --- products/rhel10/profiles/e8.profile | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile index d9899ece0f8..cc0087c8f26 100644 --- a/products/rhel10/profiles/e8.profile +++ b/products/rhel10/profiles/e8.profile @@ -10,7 +10,7 @@ reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening title: 'Australian Cyber Security Centre (ACSC) Essential Eight' description: |- - This profile contains configuration checks for Red Hat Enterprise Linux 9 + This profile contains configuration checks for Red Hat Enterprise Linux 10 that align to the Australian Cyber Security Centre (ACSC) Essential Eight. A copy of the Essential Eight in Linux Environments guide can be found at the @@ -20,3 +20,23 @@ description: |- selections: - e8:all + # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9) + # use only package_audispd-plugins_installed + - '!package_audit-audispd-plugins_installed' + # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. + # https://github.com/ComplianceAsCode/content/issues/11285 + - '!rpm_verify_permissions' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_ypbind_removed' + - '!package_audit-audispd-plugins_installed' + - '!set_ipv6_loopback_traffic' + - '!set_loopback_traffic' + - '!service_ntpd_enabled' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed'