Development of SCA policies for RHEL 8

[mikykeane]

Hello team. Working on the development of SCA policies for RHEL 8 1 Initial Setup 1.1 Filesystem Configuration 1.1.1 Disable unused filesystems

• [x] 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored) ......................... 21
• [x] 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) ....................... 23
• [x] 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) ..................... 25
• [x] 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) ................................ 27
• [x] 1.1.2 Ensure /tmp is configured (Scored) ............................................................................. 29
• [x] 1.1.3 Ensure nodev option set on /tmp partition (Scored) ............................................ 32
• [x] 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ........................................... 34
• [x] 1.1.5 Ensure noexec option set on /tmp partition (Scored) .......................................... 36
• [x] 1.1.6 Ensure separate partition exists for /var (Scored)................................................. 38
• [x] 1.1.7 Ensure separate partition exists for /var/tmp (Scored) ...................................... 40
• [x] 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) ................................... 42
• [x] 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) .................................. 43
• [x] 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) ............................... 44
• [x] 1.1.11 Ensure separate partition exists for /var/log (Scored) ..................................... 45
• [x] 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) ......................... 47
• [x] 1.1.13 Ensure separate partition exists for /home (Scored) ......................................... 49
• [x] 1.1.14 Ensure nodev option set on /home partition (Scored) ...................................... 51
• [x] 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) ............................... 53
• [x] 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) .............................. 55
• [x] 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) .............................. 57
• [ ] 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) ...... 59
• [ ] 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) ..... 60
• [ ] 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) ..... 61
• [ ] 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) ............... 62
• [x] 1.1.22 Disable Automounting (Scored) .................................................................................. 63
• [x] 1.1.23 Disable USB Storage (Scored) ....................................................................................... 65

1.2 Configure Software Updates

• [ ] 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
• [ ] 1.2.2 Disable the rhnsd Daemon (Not Scored) .................................................................... 69
• [ ] 1.2.3 Ensure GPG keys are configured (Not Scored) ......................................................... 70
• [x] 1.2.4 Ensure gpgcheck is globally activated (Scored) ....................................................... 71

• [ ] 1.2.5 Ensure package manager repositories are configured (Not Scored) ............... 72

  1.3 Configure sudo

• [x] 1.3.1 Ensure sudo is installed (Scored) .................................................................................. 74
• [x] 1.3.2 Ensure sudo commands use pty (Scored) .................................................................. 76
• [x] 1.3.3 Ensure sudo log file exists (Scored) .............................................................................. 78

1.4 Filesystem Integrity Checking

• [x] 1.4.1 Ensure AIDE is installed (Scored) .................................................................................. 81
• [x] 1.4.2 Ensure filesystem integrity is regularly checked (Scored) .................................. 83

1.5 Secure Boot Settings

• [x] 1.5.1 Ensure permissions on bootloader config are configured (Scored) ................ 86
• [x] 1.5.2 Ensure bootloader password is set (Scored) ............................................................ 88
• [x] 1.5.3 Ensure authentication required for single user mode (Scored) ........................ 90

1.6 Additional Process Hardening

• [x] 1.6.1 Ensure core dumps are restricted (Scored) .............................................................. 93
• [x] 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored) .... 95

1.7 Mandatory Access Control

• [x] 1.7.1 Configure SELinux
• [x] 1.7.1.1 Ensure SELinux is installed (Scored) ...................................................................... 100
• [x] 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) ..... 101
• [x] 1.7.1.3 Ensure SELinux policy is configured (Scored) .................................................... 103
• [x] 1.7.1.4 Ensure the SELinux state is enforcing (Scored) ................................................. 105
• [x] 1.7.1.5 Ensure no unconfined services exist (Scored) .................................................... 106
• [x] 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) .............................................. 107
• [x] 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)

1.8 Warning Banners

• [x] 1.8.1 Command Line Warning Banners
• [x] 1.8.1.1 Ensure message of the day is configured properly (Scored) ......................... 111
• [x] 1.8.1.2 Ensure local login warning banner is configured properly (Scored) ......... 113
• [x] 1.8.1.3 Ensure remote login warning banner is configured properly (Scored).... 115
• [x] 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) ......................... 117
• [x] 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) ......................... 118
• [x] 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) .................. 120
• [x] 1.8.2 Ensure GDM login banner is configured (Scored) ................................................. 121
• [x] 1.9 Ensure updates, patches, and additional security software are installed (Scored)
• [x] 1.10 Ensure system-wide crypto policy is not legacy (Scored) .................................. 125
• [x] 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored) ...................... 127

2 Services 2.1 inetd Services

• [x] 2.1.1 Ensure xinetd is not installed (Scored) ..................................................................... 131 2.2 Special Purpose Services 2.2.1 Time Synchronization
• [x] 2.2.1.1 Ensure time synchronization is in use (Not Scored) ........................................ 134
• [x] 2.2.1.2 Ensure chrony is configured (Scored) .................................................................... 136
• [x] 2.2.2 Ensure X Window System is not installed (Scored) ............................................. 138
• [x] 2.2.3 Ensure rsync service is not enabled (Scored) ......................................................... 139
• [x] 2.2.4 Ensure Avahi Server is not enabled (Scored) ......................................................... 141
• [x] 2.2.5 Ensure SNMP Server is not enabled (Scored) ......................................................... 143
• [x] 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)............................................. 145
• [x] 2.2.7 Ensure Samba is not enabled (Scored) ...................................................................... 146
• [x] 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) ..................................... 147
• [x] 2.2.9 Ensure HTTP server is not enabled (Scored) .......................................................... 149
• [x] 2.2.10 Ensure FTP Server is not enabled (Scored) .......................................................... 151
• [x] 2.2.11 Ensure DNS Server is not enabled (Scored) .......................................................... 153
• [x] 2.2.12 Ensure NFS is not enabled (Scored) ......................................................................... 154
• [x] 2.2.13 Ensure RPC is not enabled (Scored)......................................................................... 156
• [x] 2.2.14 Ensure LDAP server is not enabled (Scored) ....................................................... 158
• [x] 2.2.15 Ensure DHCP Server is not enabled (Scored) ....................................................... 160
• [x] 2.2.16 Ensure CUPS is not enabled (Scored) ...................................................................... 162
• [x] 2.2.17 Ensure NIS Server is not enabled (Scored) ........................................................... 164
• [x] 2.2.18 Ensure mail transfer agent is configured for local-only mode (Scored) .... 166

2.3 Service Clients

• [x] 2.3.1 Ensure NIS Client is not installed (Scored) .............................................................. 169
• [x] 2.3.2 Ensure telnet client is not installed (Scored) .......................................................... 171
• [x] 2.3.3 Ensure LDAP client is not installed (Scored) .......................................................... 173

3 Network Configuration 3.1 Network Parameters (Host Only)

• [x] 3.1.1 Ensure IP forwarding is disabled (Scored) .............................................................. 176
• [x] 3.1.2 Ensure packet redirect sending is disabled (Scored) .......................................... 178

3.2 Network Parameters (Host and Router)

• [x] 3.2.1 Ensure source routed packets are not accepted (Scored) ................................. 181
• [x] 3.2.2 Ensure ICMP redirects are not accepted (Scored) ................................................ 184
• [x] 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) .................................. 187
• [x] 3.2.4 Ensure suspicious packets are logged (Scored) ..................................................... 189
• [x] 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) ...................................... 191
• [x] 3.2.6 Ensure bogus ICMP responses are ignored (Scored) ........................................... 193
• [x] 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) .............................................. 195
• [x] 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) ......................................................... 197

• [x] 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) ...................... 199

  3.3 Uncommon Network Protocols

• [x] 3.3.1 Ensure DCCP is disabled (Scored) ............................................................................... 202
• [x] 3.3.2 Ensure SCTP is disabled (Scored) ................................................................................ 203
• [x] 3.3.3 Ensure RDS is disabled (Scored) .................................................................................. 204
• [x] 3.3.4 Ensure TIPC is disabled (Scored)................................................................................. 205

3.4 Firewall Configuration 3.4.1 Ensure Firewall software is installed

• [x] 3.4.1.1 Ensure a Firewall package is installed (Scored) ................................................. 208

  3.4.2 Configure firewalld

• [x] 3.4.2.1 Ensure firewalld service is enabled and running (Scored) ............................ 211
• [x] 3.4.2.2 Ensure iptables is not enabled (Scored) ................................................................ 213
• [x] 3.4.2.3 Ensure nftables is not enabled (Scored) ................................................................ 215
• [ ] 3.4.2.4 Ensure default zone is set (Scored) ......................................................................... 217
• [ ] 3.4.2.5 Ensure network interfaces are assigned to appropriate zone (Not Scored)

• [ ] 3.4.2.6 Ensure unnecessary services and ports are not accepted (Not Scored) ... 221

  3.4.3 Configure nftables

• [x] 3.4.3.1 Ensure iptables are flushed (Not Scored) ............................................................. 227
• [x] 3.4.3.2 Ensure a table exists (Scored) ................................................................................... 229
• [x] 3.4.3.3 Ensure base chains exist (Scored) ........................................................................... 231
• [ ] 3.4.3.4 Ensure loopback traffic is configured (Scored) .................................................. 233
• [ ] 3.4.3.5 Ensure outbound and established connections are configured (Not Scored)
• [x] 3.4.3.6 Ensure default deny firewall policy (Scored) ...................................................... 237
• [x] 3.4.3.7 Ensure nftables service is enabled (Scored) ........................................................ 239
• [ ] 3.4.3.8 Ensure nftables rules are permanent (Scored) ................................................... 240

3.4.4 Configure iptables

• [x] 3.4.4.1.1 Ensure default deny firewall policy (Scored) .................................................. 246

• [x] 3.4.4.1.2 Ensure loopback traffic is configured (Scored)............................................... 248

• [ ] 3.4.4.1.3 Ensure outbound and established connections are configured (Not Scored)

• [ ] 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) ................................ 252

• [x] 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) ........................................ 256

• [x] 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) .................................... 258

• [ ] 3.4.4.2.3 Ensure IPv6 outbound and established connections are configured (Not Scored)

• [ ] 3.4.4.2.4 Ensure IPv6 firewall rules exist for all open ports (Not Scored) ............. 262

• [x] 3.5 Ensure wireless interfaces are disabled (Scored) .................................................... 265

• [x] 3.6 Disable IPv6 (Not Scored) .................................................................................................. 267

  4 Logging and Auditing 4.1 Configure System Accounting (auditd)

4.1.1 Ensure auditing is enabled

• [x] 4.1.1.1 Ensure auditd is installed (Scored) ......................................................................... 271
• [x] 4.1.1.2 Ensure auditd service is enabled (Scored) ........................................................... 272
• [x] 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
• [x] 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) .............................................. 276

4.1.2 Configure Data Retention

• [x] 4.1.2.1 Ensure audit log storage size is configured (Scored) ....................................... 279

• [x] 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) ............................. 281

• [x] 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) ........................ 283

• [x] 4.1.3 Ensure changes to system administration scope (sudoers) is collected (Scored)

• [x] 4.1.4 Ensure login and logout events are collected (Scored) ....................................... 286

• [x] 4.1.5 Ensure session initiation information is collected (Scored) ............................. 288

• [x] 4.1.6 Ensure events that modify date and time information are collected (Scored)

• [x] 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)

• [x] 4.1.8 Ensure events that modify the system's network environment are collected (Scored)

• [x] 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)

• [x] 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)

• [x] 4.1.11 Ensure events that modify user/group information are collected (Scored)

• [x] 4.1.12 Ensure successful file system mounts are collected (Scored) ....................... 304

• [ ] 4.1.13 Ensure use of privileged commands is collected (Scored) .............................. 306

• [x] 4.1.14 Ensure file deletion events by users are collected (Scored) ........................... 308

• [x] 4.1.15 Ensure kernel module loading and unloading is collected (Scored) ........... 310

• [x] 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) ... 312

• [x] 4.1.17 Ensure the audit configuration is immutable (Scored) .................................... 314

4.2 Configure Logging 4.2.1 Configure rsyslog

• [x] 4.2.1.1 Ensure rsyslog is installed (Scored) ........................................................................ 318
• [x] 4.2.1.2 Ensure rsyslog Service is enabled (Scored) ......................................................... 319
• [x] 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) ....................... 321
• [ ] 4.2.1.4 Ensure logging is configured (Not Scored) ........................................................... 323
• [x] 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host (Scored) . 325
• [ ] 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)

4.2.2 Configure journald

• [x] 4.2.2.1 Ensure journald is configured to send logs to rsyslog (Scored) ................... 330
• [x] 4.2.2.2 Ensure journald is configured to compress large log files (Scored) ........... 332
• [x] 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
• [x] 4.2.3 Ensure permissions on all logfiles are configured (Scored) .............................. 336

• [ ] 4.3 Ensure logrotate is configured (Not Scored) .............................................................. 337

  5 Access, Authentication and Authorization 5.1 Configure cron

• [x] 5.1.1 Ensure cron daemon is enabled (Scored) ................................................................. 341
• [x] 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) ........................ 342
• [x] 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) ................ 343
• [x] 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) ................... 345
• [x] 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) ............... 347
• [x] 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) ............ 349
• [x] 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) ........................... 351
• [x] 5.1.8 Ensure at/cron is restricted to authorized users (Scored) ................................ 353

5.2 SSH Server Configuration

• [x] 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) ....... 356
• [x] 5.2.2 Ensure SSH access is limited (Scored) ....................................................................... 357
• [x] 5.2.3 Ensure permissions on SSH private host key files are configured (Scored)
• [x] 5.2.4 Ensure permissions on SSH public host key files are configured (Scored)
• [x] 5.2.5 Ensure SSH LogLevel is appropriate (Scored) ........................................................ 363
• [x] 5.2.6 Ensure SSH X11 forwarding is disabled (Scored) ................................................. 365
• [x] 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) ........................................ 366
• [x] 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) ....................................................... 367
• [x] 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored).............................. 368
• [x] 5.2.10 Ensure SSH root login is disabled (Scored) ........................................................... 369
• [x] 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) ............................. 370
• [x] 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) ............................ 371
• [x] 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) ............................... 372
• [x] 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less (Scored) ............. 374
• [x] 5.2.15 Ensure SSH warning banner is configured (Scored) ......................................... 376
• [x] 5.2.16 Ensure SSH PAM is enabled (Scored) ...................................................................... 377
• [x] 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) ................................... 379
• [ ] 5.2.18 Ensure SSH MaxStartups is configured (Scored) ................................................ 381
• [x] 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) ......................................... 382
• [x] 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) ................... 383

5.3 Configure authselect

• [x] 5.3.1 Create custom authselect profile (Scored) ............................................................... 385
• [ ] 5.3.2 Select authselect profile (Scored) ................................................................................ 386
• [x] 5.3.3 Ensure authselect includes with-faillock (Scored) ............................................... 388

5.4 Configure PAM

• [x] 5.4.1 Ensure password creation requirements are configured (Scored) ................ 391
• [x] 5.4.2 Ensure lockout for failed password attempts is configured (Scored) ........... 394
• [x] 5.4.3 Ensure password reuse is limited (Scored) ............................................................. 396
• [x] 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) ............................... 398

5.5 User Accounts and Environment 5.5.1 Set Shadow Password Suite Parameters

• [x] 5.5.1.1 Ensure password expiration is 365 days or less (Scored) ............................. 402

• [x] 5.5.1.2 Ensure minimum days between password changes is 7 or more (Scored)

• [x] 5.5.1.3 Ensure password expiration warning days is 7 or more (Scored) ............. 406

• [x] 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) ........................... 408

• [ ] 5.5.1.5 Ensure all users last password change date is in the past (Scored) ........... 410

• [ ] 5.5.2 Ensure system accounts are secured (Scored) ....................................................... 411

• [x] 5.5.3 Ensure default user shell timeout is 900 seconds or less (Scored) ................ 413

• [x] 5.5.4 Ensure default group for the root account is GID 0 (Scored) ........................... 415

• [x] 5.5.5 Ensure default user umask is 027 or more restrictive (Scored) ..................... 416

• [ ] 5.6 Ensure root login is restricted to system console (Not Scored) .......................... 418

• [x] 5.7 Ensure access to the su command is restricted (Scored) ...................................... 419

6 System Maintenance 6.1 System File Permissions

• [ ] 6.1.1 Audit system file permissions (Not Scored) ............................................................ 423
• [x] 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) ........................ 426
• [x] 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) ........................ 427
• [x] 6.1.4 Ensure permissions on /etc/group are configured (Scored) ........................... 428
• [x] 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) ..................... 429
• [x] 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) ...................... 430
• [x] 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) ...................... 431
• [x] 6.1.8 Ensure permissions on /etc/group- are configured (Scored) .......................... 433
• [x] 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) .................... 434
• [ ] 6.1.10 Ensure no world writable files exist (Scored) ...................................................... 435
• [ ] 6.1.11 Ensure no unowned files or directories exist (Scored) .................................... 437
• [ ] 6.1.12 Ensure no ungrouped files or directories exist (Scored) ................................. 439
• [ ] 6.1.13 Audit SUID executables (Not Scored) ...................................................................... 441
• [ ] 6.1.14 Audit SGID executables (Not Scored) ...................................................................... 443

6.2 User and Group Settings

• [x] 6.2.1 Ensure password fields are not empty (Scored) ................................................... 446
• [x] 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) ............................ 447
• [ ] 6.2.3 Ensure root PATH Integrity (Scored) ......................................................................... 448
• [x] 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ............................ 449
• [x] 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) ................................ 450
• [x] 6.2.6 Ensure root is the only UID 0 account (Scored) ..................................................... 451
• [ ] 6.2.7 Ensure users' home directories permissions are 750 or more restrictive (Scored)
• [ ] 6.2.8 Ensure users own their home directories (Scored) ............................................. 454
• [ ] 6.2.9 Ensure users' dot files are not group or world writable (Scored) .................. 456
• [ ] 6.2.10 Ensure no users have .forward files (Scored) ...................................................... 458
• [ ] 6.2.11 Ensure no users have .netrc files (Scored) ............................................................ 460
• [ ] 6.2.12 Ensure users' .netrc Files are not group or world accessible (Scored) ...... 462
• [ ] 6.2.13 Ensure no users have .rhosts files (Scored) .......................................................... 465
• [ ] 6.2.14 Ensure all groups in /etc/passwd exist in /etc/group (Scored) .................. 467
• [ ] 6.2.15 Ensure no duplicate UIDs exist (Scored) ................................................................ 468
• [ ] 6.2.16 Ensure no duplicate GIDs exist (Scored) ................................................................ 469
• [ ] 6.2.17 Ensure no duplicate user names exist (Scored) .................................................. 470
• [ ] 6.2.18 Ensure no duplicate group names exist (Scored) ............................................... 471
• [ ] 6.2.19 Ensure shadow group is empty (Scored) ............................................................... 472
• [ ] 6.2.20 Ensure all users' home directories exist (Scored) .............................................. 473

Testing

These checks have all been tested in different systems to be sure they were reliable on different environments.

• [x] Tested in official vagrant box: centos/8

• [x] Tested in reliable vagrant box: bento/centos-8

• [x] Tested in RHEL 8 machine in AWS

[K-Embee]

Added all section 2 checks. Currently tested 17/20

[mikykeane]

Finished subsection 1.1 and 1.2

[eliasgrana]

Added section 3 and section 5 checks.

[mikykeane]

Added section 1. Pending some reviews.

[K-Embee]

Added and tested section 4.

[72nomada]

Closing issue as it is solved by PR:

Adding SCA policies for RHEL 8 #714