Closed mikykeane closed 3 years ago
Added all section 2 checks. Currently tested 17/20
Finished subsection 1.1 and 1.2
Added section 3 and section 5 checks.
Added section 1. Pending some reviews.
Added and tested section 4.
Closing issue as it is solved by PR:
Adding SCA policies for RHEL 8 #714
Hello team. Working on the development of SCA policies for RHEL 8 1 Initial Setup 1.1 Filesystem Configuration 1.1.1 Disable unused filesystems
1.2 Configure Software Updates
[ ] 1.2.5 Ensure package manager repositories are configured (Not Scored) ............... 72
1.3 Configure sudo
1.4 Filesystem Integrity Checking
1.5 Secure Boot Settings
1.6 Additional Process Hardening
1.7 Mandatory Access Control
1.8 Warning Banners
2 Services 2.1 inetd Services
2.3 Service Clients
3 Network Configuration 3.1 Network Parameters (Host Only)
3.2 Network Parameters (Host and Router)
[x] 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) ...................... 199
3.3 Uncommon Network Protocols
3.4 Firewall Configuration 3.4.1 Ensure Firewall software is installed
[x] 3.4.1.1 Ensure a Firewall package is installed (Scored) ................................................. 208
3.4.2 Configure firewalld
[ ] 3.4.2.6 Ensure unnecessary services and ports are not accepted (Not Scored) ... 221
3.4.3 Configure nftables
3.4.4 Configure iptables
[x] 3.4.4.1.1 Ensure default deny firewall policy (Scored) .................................................. 246
[x] 3.4.4.1.2 Ensure loopback traffic is configured (Scored)............................................... 248
[ ] 3.4.4.1.3 Ensure outbound and established connections are configured (Not Scored)
[ ] 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) ................................ 252
[x] 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) ........................................ 256
[x] 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) .................................... 258
[ ] 3.4.4.2.3 Ensure IPv6 outbound and established connections are configured (Not Scored)
[ ] 3.4.4.2.4 Ensure IPv6 firewall rules exist for all open ports (Not Scored) ............. 262
[x] 3.5 Ensure wireless interfaces are disabled (Scored) .................................................... 265
[x] 3.6 Disable IPv6 (Not Scored) .................................................................................................. 267
4 Logging and Auditing 4.1 Configure System Accounting (auditd)
4.1.1 Ensure auditing is enabled
4.1.2 Configure Data Retention
[x] 4.1.2.1 Ensure audit log storage size is configured (Scored) ....................................... 279
[x] 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) ............................. 281
[x] 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) ........................ 283
[x] 4.1.3 Ensure changes to system administration scope (sudoers) is collected (Scored)
[x] 4.1.4 Ensure login and logout events are collected (Scored) ....................................... 286
[x] 4.1.5 Ensure session initiation information is collected (Scored) ............................. 288
[x] 4.1.6 Ensure events that modify date and time information are collected (Scored)
[x] 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
[x] 4.1.8 Ensure events that modify the system's network environment are collected (Scored)
[x] 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
[x] 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
[x] 4.1.11 Ensure events that modify user/group information are collected (Scored)
[x] 4.1.12 Ensure successful file system mounts are collected (Scored) ....................... 304
[ ] 4.1.13 Ensure use of privileged commands is collected (Scored) .............................. 306
[x] 4.1.14 Ensure file deletion events by users are collected (Scored) ........................... 308
[x] 4.1.15 Ensure kernel module loading and unloading is collected (Scored) ........... 310
[x] 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) ... 312
[x] 4.1.17 Ensure the audit configuration is immutable (Scored) .................................... 314
4.2 Configure Logging 4.2.1 Configure rsyslog
4.2.2 Configure journald
[ ] 4.3 Ensure logrotate is configured (Not Scored) .............................................................. 337
5 Access, Authentication and Authorization 5.1 Configure cron
5.2 SSH Server Configuration
5.3 Configure authselect
5.4 Configure PAM
5.5 User Accounts and Environment 5.5.1 Set Shadow Password Suite Parameters
[x] 5.5.1.1 Ensure password expiration is 365 days or less (Scored) ............................. 402
[x] 5.5.1.2 Ensure minimum days between password changes is 7 or more (Scored)
[x] 5.5.1.3 Ensure password expiration warning days is 7 or more (Scored) ............. 406
[x] 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) ........................... 408
[ ] 5.5.1.5 Ensure all users last password change date is in the past (Scored) ........... 410
[ ] 5.5.2 Ensure system accounts are secured (Scored) ....................................................... 411
[x] 5.5.3 Ensure default user shell timeout is 900 seconds or less (Scored) ................ 413
[x] 5.5.4 Ensure default group for the root account is GID 0 (Scored) ........................... 415
[x] 5.5.5 Ensure default user umask is 027 or more restrictive (Scored) ..................... 416
[ ] 5.6 Ensure root login is restricted to system console (Not Scored) .......................... 418
[x] 5.7 Ensure access to the su command is restricted (Scored) ...................................... 419
6 System Maintenance 6.1 System File Permissions
6.2 User and Group Settings
Testing
These checks have all been tested in different systems to be sure they were reliable on different environments.
[x] Tested in official vagrant box: centos/8
[x] Tested in reliable vagrant box: bento/centos-8
[x] Tested in RHEL 8 machine in AWS