Merge pull request ComplianceAsCode#11976 from Mab879/init_rhel10_e8

Initial RHEL 10 e8 Profile
rumch-se · May 13, 2024 · 1e4eee3 · 1e4eee3
2 parents bca5d4b + dbc0e42
commit 1e4eee3
Show file tree

Hide file tree

Showing 2 changed files with 219 additions and 0 deletions.
diff --git a/controls/e8.yml b/controls/e8.yml
@@ -0,0 +1,177 @@
+id: 'e8'
+policy: 'e8'
+source: 'https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Hardening%20Linux%20Workstations%20and%20Servers%20%28November%202023%29.pdf'
+title: 'Australian Cyber Security Centre (ACSC)'
+levels:
+    - id: base
+
+controls:
+    -   id: 'patching'
+        levels:
+            - base
+        title: 'Application and operating system patching'
+        rules:
+            - package_talk_removed
+            - package_talk-server_removed
+            - package_ypbind_removed
+            - package_telnet_removed
+            - service_telnet_disabled
+            - package_telnet-server_removed
+            - package_rsh_removed
+            - package_rsh-server_removed
+            - package_quagga_removed
+            - service_avahi-daemon_disabled
+            - package_squid_removed
+            - service_squid_disabled
+            - ensure_redhat_gpgkey_installed
+            - ensure_gpgcheck_never_disabled
+            - ensure_gpgcheck_local_packages
+            - ensure_gpgcheck_globally_activated
+            - security_patches_up_to_date
+            - dnf-automatic_security_updates_only
+        status: automated
+
+    -   id: 'mfa'
+        levels:
+            - base
+        title: 'Multi-factor authentication'
+        status: manual
+
+    -   id: 'restrict_admin'
+        levels:
+            - base
+        title: 'Restricting administrative privileges'
+        rules:
+            - accounts_no_uid_except_zero
+            - sudo_remove_nopasswd
+            - sudo_remove_no_authenticate
+            - sudo_require_authentication
+
+        status: partial
+
+    -   id: 'app_control'
+        levels:
+            - base
+        title: 'Application control'
+        rules:
+            - package_fapolicyd_installed
+            - service_fapolicyd_enabled
+        status: partial
+
+    -   id: 'restrict_macros'
+        levels:
+            - base
+        title: 'Restrict Microsoft Office macros'
+        status: not applicable
+
+    -   id: 'app_hardening'
+        levels:
+            - base
+        title: 'User application hardening'
+        status: pending
+
+    -   id: 'backups'
+        levels:
+            - base
+        title: 'Regular backups'
+        rules:
+            - package_rear_installed
+        status: partial
+
+    -   id: 'hardening'
+        levels:
+            - base
+        title: 'General hardening of {{{ full_name }}}'
+        rules:
+            - var_system_crypto_policy=default_nosha1
+            - configure_crypto_policy
+            - configure_ssh_crypto_policy
+            ### Secure access
+            - sshd_use_directory_configuration
+            - sshd_disable_root_login
+            - sshd_disable_gssapi_auth
+            - sshd_print_last_log
+            - sshd_do_not_permit_user_env
+            - sshd_disable_rhosts
+            - sshd_set_loglevel_info
+            - sshd_disable_empty_passwords
+            - sshd_disable_user_known_hosts
+            - sshd_enable_strictmodes
+            ### Audit
+            - package_rsyslog_installed
+            - service_rsyslog_enabled
+            - service_auditd_enabled
+            - var_auditd_flush=incremental_async
+            - auditd_data_retention_flush
+            - auditd_local_events
+            - auditd_write_logs
+            - auditd_log_format
+            - auditd_freq
+            - auditd_name_format
+            - audit_rules_login_events_tallylog
+            - audit_rules_login_events_faillock
+            - audit_rules_login_events_lastlog
+            - audit_rules_login_events
+            - audit_rules_time_adjtimex
+            - audit_rules_time_clock_settime
+            - audit_rules_time_watch_localtime
+            - audit_rules_time_settimeofday
+            - audit_rules_time_stime
+            - audit_rules_execution_restorecon
+            - audit_rules_execution_chcon
+            - audit_rules_execution_semanage
+            - audit_rules_execution_setsebool
+            - audit_rules_execution_setfiles
+            - audit_rules_execution_seunshare
+            - audit_rules_sysadmin_actions
+            - audit_rules_networkconfig_modification
+            - audit_rules_usergroup_modification
+            - audit_rules_dac_modification_chmod
+            - audit_rules_dac_modification_chown
+            - audit_rules_kernel_module_loading
+
+            ### System security settings
+            - sysctl_kernel_randomize_va_space
+            - sysctl_kernel_exec_shield
+            - sysctl_kernel_kptr_restrict
+            - sysctl_kernel_dmesg_restrict
+            - sysctl_kernel_kexec_load_disabled
+            - sysctl_kernel_yama_ptrace_scope
+            - sysctl_kernel_unprivileged_bpf_disabled
+            - sysctl_net_core_bpf_jit_harden
+
+            ### SELinux
+            - var_selinux_state=enforcing
+            - selinux_state
+            - var_selinux_policy_name=targeted
+            - selinux_policytype
+
+            ### Filesystem integrity
+            - rpm_verify_hashes
+            - rpm_verify_permissions
+            - rpm_verify_ownership
+            - file_permissions_unauthorized_sgid
+            - file_permissions_unauthorized_suid
+            - file_permissions_unauthorized_world_writable
+            - dir_perms_world_writable_sticky_bits
+            - file_permissions_library_dirs
+            - file_ownership_binary_dirs
+            - file_permissions_binary_dirs
+            - file_ownership_library_dirs
+
+            ### Passwords
+            - var_authselect_profile=sssd
+            - enable_authselect
+            - no_empty_passwords
+
+            ### Partitioning
+            - mount_option_dev_shm_nodev
+            - mount_option_dev_shm_nosuid
+            - mount_option_dev_shm_noexec
+
+            ### Network
+            - package_firewalld_installed
+            - service_firewalld_enabled
+            - network_sniffer_disabled
+
+        status: partial # Always will be partial as more could be done
diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - shaneboulden
+        - tjbutt58
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+  This profile contains configuration checks for Red Hat Enterprise Linux 10
+  that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+  A copy of the Essential Eight in Linux Environments guide can be found at the
+  ACSC website:
+
+  https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+selections:
+    - e8:all
+    # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
+    # use only package_audispd-plugins_installed
+    - '!package_audit-audispd-plugins_installed'
+    # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
+    # https://github.com/ComplianceAsCode/content/issues/11285
+    - '!rpm_verify_permissions'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
+    - '!package_ypbind_removed'
+    - '!package_audit-audispd-plugins_installed'
+    - '!set_ipv6_loopback_traffic'
+    - '!set_loopback_traffic'
+    - '!service_ntpd_enabled'
+    - '!package_ypserv_removed'
+    - '!package_ypbind_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
+    - '!package_xinetd_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'