|
 |
44eea6 |
From 294a7b225581b89a8029143e18e14cd961fcff7d Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: shaneboulden <shane.boulden@gmail.com>
|
|
|
44eea6 |
Date: Sun, 22 Sep 2019 06:10:57 +1000
|
|
|
44eea6 |
Subject: [PATCH] Add Essential Eight profiles
|
|
|
44eea6 |
|
|
|
44eea6 |
The Australian Cyber Security Centre (ACSC) Essential Eight provides
|
|
|
44eea6 |
a baseline for cyber resilience.
|
|
|
44eea6 |
|
|
|
44eea6 |
A copy of the Essential Eight in Linux Environments guide can be found
|
|
|
44eea6 |
at the ACSC website:
|
|
|
44eea6 |
|
|
|
44eea6 |
https://www.cyber.gov.au/publications/essential-eight-in-linux-environments
|
|
|
44eea6 |
---
|
|
|
44eea6 |
rhel7/profiles/e8.profile | 132 ++++++++++++++++++++++++++++++++++++
|
|
|
44eea6 |
rhel8/profiles/e8.profile | 138 ++++++++++++++++++++++++++++++++++++++
|
|
|
44eea6 |
2 files changed, 270 insertions(+)
|
|
|
44eea6 |
create mode 100644 rhel7/profiles/e8.profile
|
|
|
44eea6 |
create mode 100644 rhel8/profiles/e8.profile
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/rhel7/profiles/e8.profile b/rhel7/profiles/e8.profile
|
|
|
44eea6 |
new file mode 100644
|
|
|
44eea6 |
index 0000000000..27ff2a58e6
|
|
|
44eea6 |
--- /dev/null
|
|
|
44eea6 |
+++ b/rhel7/profiles/e8.profile
|
|
|
44eea6 |
@@ -0,0 +1,132 @@
|
|
|
44eea6 |
+documentation_complete: true
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+description: |-
|
|
|
44eea6 |
+ This profile contains configuration checks for Red Hat Enterprise Linux 7
|
|
|
44eea6 |
+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ A copy of the Essential Eight in Linux Environments guide can be found at the
|
|
|
44eea6 |
+ ACSC website:
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+selections:
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Remove obsolete packages
|
|
|
44eea6 |
+ - package_talk_removed
|
|
|
44eea6 |
+ - package_talk-server_removed
|
|
|
44eea6 |
+ - package_xinetd_removed
|
|
|
44eea6 |
+ - service_xinetd_disabled
|
|
|
44eea6 |
+ - package_ypbind_removed
|
|
|
44eea6 |
+ - package_telnet_removed
|
|
|
44eea6 |
+ - service_telnet_disabled
|
|
|
44eea6 |
+ - package_telnet-server_removed
|
|
|
44eea6 |
+ - package_rsh_removed
|
|
|
44eea6 |
+ - package_rsh-server_removed
|
|
|
44eea6 |
+ - service_zebra_disabled
|
|
|
44eea6 |
+ - package_quagga_removed
|
|
|
44eea6 |
+ - service_avahi-daemon_disabled
|
|
|
44eea6 |
+ - package_squid_removed
|
|
|
44eea6 |
+ - service_squid_disabled
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Software update
|
|
|
44eea6 |
+ - ensure_redhat_gpgkey_installed
|
|
|
44eea6 |
+ - ensure_gpgcheck_never_disabled
|
|
|
44eea6 |
+ - ensure_gpgcheck_local_packages
|
|
|
44eea6 |
+ - ensure_gpgcheck_globally_activated
|
|
|
44eea6 |
+ - security_patches_up_to_date
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### System security settings
|
|
|
44eea6 |
+ - sysctl_kernel_randomize_va_space
|
|
|
44eea6 |
+ - sysctl_kernel_exec_shield
|
|
|
44eea6 |
+ - sysctl_kernel_kptr_restrict
|
|
|
44eea6 |
+ - sysctl_kernel_dmesg_restrict
|
|
|
44eea6 |
+ - sysctl_kernel_kexec_load_disabled
|
|
|
44eea6 |
+ - sysctl_kernel_yama_ptrace_scope
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### SELinux
|
|
|
44eea6 |
+ - var_selinux_state=enforcing
|
|
|
44eea6 |
+ - selinux_state
|
|
|
44eea6 |
+ - var_selinux_policy_name=targeted
|
|
|
44eea6 |
+ - selinux_policytype
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Filesystem integrity
|
|
|
44eea6 |
+ - rpm_verify_hashes
|
|
|
44eea6 |
+ - rpm_verify_permissions
|
|
|
44eea6 |
+ - rpm_verify_ownership
|
|
|
44eea6 |
+ - file_permissions_unauthorized_sgid
|
|
|
44eea6 |
+ - file_permissions_unauthorized_suid
|
|
|
44eea6 |
+ - file_permissions_unauthorized_world_writable
|
|
|
44eea6 |
+ - dir_perms_world_writable_sticky_bits
|
|
|
44eea6 |
+ - file_permissions_library_dirs
|
|
|
44eea6 |
+ - file_ownership_binary_dirs
|
|
|
44eea6 |
+ - file_permissions_binary_dirs
|
|
|
44eea6 |
+ - file_ownership_library_dirs
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Passwords
|
|
|
44eea6 |
+ - no_empty_passwords
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Partitioning
|
|
|
44eea6 |
+ - mount_option_dev_shm_nodev
|
|
|
44eea6 |
+ - mount_option_dev_shm_nosuid
|
|
|
44eea6 |
+ - mount_option_dev_shm_noexec
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Network
|
|
|
44eea6 |
+ - package_firewalld_installed
|
|
|
44eea6 |
+ - service_firewalld_enabled
|
|
|
44eea6 |
+ - network_sniffer_disabled
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Admin privileges
|
|
|
44eea6 |
+ - sudo_remove_nopasswd
|
|
|
44eea6 |
+ - sudo_remove_no_authenticate
|
|
|
44eea6 |
+ - sudo_require_authentication
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Audit
|
|
|
44eea6 |
+ - package_rsyslog_installed
|
|
|
44eea6 |
+ - service_rsyslog_enabled
|
|
|
44eea6 |
+ - service_auditd_enabled
|
|
|
44eea6 |
+ - var_auditd_flush=incremental_async
|
|
|
44eea6 |
+ - auditd_data_retention_flush
|
|
|
44eea6 |
+ - auditd_local_events
|
|
|
44eea6 |
+ - auditd_write_logs
|
|
|
44eea6 |
+ - auditd_log_format
|
|
|
44eea6 |
+ - auditd_freq
|
|
|
44eea6 |
+ - auditd_name_format
|
|
|
44eea6 |
+ - audit_rules_login_events_tallylog
|
|
|
44eea6 |
+ - audit_rules_login_events_faillock
|
|
|
44eea6 |
+ - audit_rules_login_events_lastlog
|
|
|
44eea6 |
+ - audit_rules_login_events
|
|
|
44eea6 |
+ - audit_rules_time_adjtimex
|
|
|
44eea6 |
+ - audit_rules_time_clock_settime
|
|
|
44eea6 |
+ - audit_rules_time_watch_localtime
|
|
|
44eea6 |
+ - audit_rules_time_settimeofday
|
|
|
44eea6 |
+ - audit_rules_time_stime
|
|
|
44eea6 |
+ - audit_rules_execution_restorecon
|
|
|
44eea6 |
+ - audit_rules_execution_chcon
|
|
|
44eea6 |
+ - audit_rules_execution_semanage
|
|
|
44eea6 |
+ - audit_rules_execution_setsebool
|
|
|
44eea6 |
+ - audit_rules_execution_setfiles
|
|
|
44eea6 |
+ - audit_rules_execution_seunshare
|
|
|
44eea6 |
+ - audit_rules_sysadmin_actions
|
|
|
44eea6 |
+ - audit_rules_networkconfig_modification
|
|
|
44eea6 |
+ - audit_rules_usergroup_modification
|
|
|
44eea6 |
+ - audit_rules_dac_modification_chmod
|
|
|
44eea6 |
+ - audit_rules_dac_modification_chown
|
|
|
44eea6 |
+ - audit_rules_kernel_module_loading
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Secure access
|
|
|
44eea6 |
+ - sshd_disable_root_login
|
|
|
44eea6 |
+ - sshd_disable_gssapi_auth
|
|
|
44eea6 |
+ - sshd_use_strong_ciphers
|
|
|
44eea6 |
+ - sshd_print_last_log
|
|
|
44eea6 |
+ - sshd_use_priv_separation
|
|
|
44eea6 |
+ - sshd_do_not_permit_user_env
|
|
|
44eea6 |
+ - sshd_disable_rhosts_rsa
|
|
|
44eea6 |
+ - sshd_disable_rhosts
|
|
|
44eea6 |
+ - sshd_allow_only_protocol2
|
|
|
44eea6 |
+ - sshd_set_loglevel_info
|
|
|
44eea6 |
+ - sshd_disable_empty_passwords
|
|
|
44eea6 |
+ - sshd_disable_user_known_hosts
|
|
|
44eea6 |
+ - sshd_enable_strictmodes
|
|
|
44eea6 |
+ - sshd_use_strong_macs
|
|
|
44eea6 |
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
|
|
|
44eea6 |
new file mode 100644
|
|
|
44eea6 |
index 0000000000..53b4c156e2
|
|
|
44eea6 |
--- /dev/null
|
|
|
44eea6 |
+++ b/rhel8/profiles/e8.profile
|
|
|
44eea6 |
@@ -0,0 +1,138 @@
|
|
|
44eea6 |
+documentation_complete: true
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+description: |-
|
|
|
44eea6 |
+ This profile contains configuration checks for Red Hat Enterprise Linux 8
|
|
|
44eea6 |
+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ A copy of the Essential Eight in Linux Environments guide can be found at the
|
|
|
44eea6 |
+ ACSC website:
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+selections:
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Remove obsolete packages
|
|
|
44eea6 |
+ - package_talk_removed
|
|
|
44eea6 |
+ - package_talk-server_removed
|
|
|
44eea6 |
+ - package_xinetd_removed
|
|
|
44eea6 |
+ - service_xinetd_disabled
|
|
|
44eea6 |
+ - package_ypbind_removed
|
|
|
44eea6 |
+ - package_telnet_removed
|
|
|
44eea6 |
+ - service_telnet_disabled
|
|
|
44eea6 |
+ - package_telnet-server_removed
|
|
|
44eea6 |
+ - package_rsh_removed
|
|
|
44eea6 |
+ - package_rsh-server_removed
|
|
|
44eea6 |
+ - service_zebra_disabled
|
|
|
44eea6 |
+ - package_quagga_removed
|
|
|
44eea6 |
+ - service_avahi-daemon_disabled
|
|
|
44eea6 |
+ - package_squid_removed
|
|
|
44eea6 |
+ - service_squid_disabled
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Software update
|
|
|
44eea6 |
+ - ensure_redhat_gpgkey_installed
|
|
|
44eea6 |
+ - ensure_gpgcheck_never_disabled
|
|
|
44eea6 |
+ - ensure_gpgcheck_local_packages
|
|
|
44eea6 |
+ - ensure_gpgcheck_globally_activated
|
|
|
44eea6 |
+ - security_patches_up_to_date
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### System security settings
|
|
|
44eea6 |
+ - sysctl_kernel_randomize_va_space
|
|
|
44eea6 |
+ - sysctl_kernel_exec_shield
|
|
|
44eea6 |
+ - sysctl_kernel_kptr_restrict
|
|
|
44eea6 |
+ - sysctl_kernel_dmesg_restrict
|
|
|
44eea6 |
+ - sysctl_kernel_kexec_load_disabled
|
|
|
44eea6 |
+ - sysctl_kernel_yama_ptrace_scope
|
|
|
44eea6 |
+ - sysctl_kernel_unprivileged_bpf_disabled
|
|
|
44eea6 |
+ - sysctl_net_core_bpf_jit_harden
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### SELinux
|
|
|
44eea6 |
+ - var_selinux_state=enforcing
|
|
|
44eea6 |
+ - selinux_state
|
|
|
44eea6 |
+ - var_selinux_policy_name=targeted
|
|
|
44eea6 |
+ - selinux_policytype
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Filesystem integrity
|
|
|
44eea6 |
+ - rpm_verify_hashes
|
|
|
44eea6 |
+ - rpm_verify_permissions
|
|
|
44eea6 |
+ - rpm_verify_ownership
|
|
|
44eea6 |
+ - file_permissions_unauthorized_sgid
|
|
|
44eea6 |
+ - file_permissions_unauthorized_suid
|
|
|
44eea6 |
+ - file_permissions_unauthorized_world_writable
|
|
|
44eea6 |
+ - dir_perms_world_writable_sticky_bits
|
|
|
44eea6 |
+ - file_permissions_library_dirs
|
|
|
44eea6 |
+ - file_ownership_binary_dirs
|
|
|
44eea6 |
+ - file_permissions_binary_dirs
|
|
|
44eea6 |
+ - file_ownership_library_dirs
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Passwords
|
|
|
44eea6 |
+ - no_empty_passwords
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Partitioning
|
|
|
44eea6 |
+ - mount_option_dev_shm_nodev
|
|
|
44eea6 |
+ - mount_option_dev_shm_nosuid
|
|
|
44eea6 |
+ - mount_option_dev_shm_noexec
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Network
|
|
|
44eea6 |
+ - package_firewalld_installed
|
|
|
44eea6 |
+ - service_firewalld_enabled
|
|
|
44eea6 |
+ - network_sniffer_disabled
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Admin privileges
|
|
|
44eea6 |
+ - sudo_remove_nopasswd
|
|
|
44eea6 |
+ - sudo_remove_no_authenticate
|
|
|
44eea6 |
+ - sudo_require_authentication
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Audit
|
|
|
44eea6 |
+ - package_rsyslog_installed
|
|
|
44eea6 |
+ - service_rsyslog_enabled
|
|
|
44eea6 |
+ - service_auditd_enabled
|
|
|
44eea6 |
+ - var_auditd_flush=incremental_async
|
|
|
44eea6 |
+ - auditd_data_retention_flush
|
|
|
44eea6 |
+ - auditd_local_events
|
|
|
44eea6 |
+ - auditd_write_logs
|
|
|
44eea6 |
+ - auditd_log_format
|
|
|
44eea6 |
+ - auditd_freq
|
|
|
44eea6 |
+ - auditd_name_format
|
|
|
44eea6 |
+ - audit_rules_login_events_tallylog
|
|
|
44eea6 |
+ - audit_rules_login_events_faillock
|
|
|
44eea6 |
+ - audit_rules_login_events_lastlog
|
|
|
44eea6 |
+ - audit_rules_login_events
|
|
|
44eea6 |
+ - audit_rules_time_adjtimex
|
|
|
44eea6 |
+ - audit_rules_time_clock_settime
|
|
|
44eea6 |
+ - audit_rules_time_watch_localtime
|
|
|
44eea6 |
+ - audit_rules_time_settimeofday
|
|
|
44eea6 |
+ - audit_rules_time_stime
|
|
|
44eea6 |
+ - audit_rules_execution_restorecon
|
|
|
44eea6 |
+ - audit_rules_execution_chcon
|
|
|
44eea6 |
+ - audit_rules_execution_semanage
|
|
|
44eea6 |
+ - audit_rules_execution_setsebool
|
|
|
44eea6 |
+ - audit_rules_execution_setfiles
|
|
|
44eea6 |
+ - audit_rules_execution_seunshare
|
|
|
44eea6 |
+ - audit_rules_sysadmin_actions
|
|
|
44eea6 |
+ - audit_rules_networkconfig_modification
|
|
|
44eea6 |
+ - audit_rules_usergroup_modification
|
|
|
44eea6 |
+ - audit_rules_dac_modification_chmod
|
|
|
44eea6 |
+ - audit_rules_dac_modification_chown
|
|
|
44eea6 |
+ - audit_rules_kernel_module_loading
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Secure access
|
|
|
44eea6 |
+ - sshd_disable_root_login
|
|
|
44eea6 |
+ - sshd_disable_gssapi_auth
|
|
|
44eea6 |
+ - sshd_print_last_log
|
|
|
44eea6 |
+ - sshd_use_priv_separation
|
|
|
44eea6 |
+ - sshd_do_not_permit_user_env
|
|
|
44eea6 |
+ - sshd_disable_rhosts_rsa
|
|
|
44eea6 |
+ - sshd_disable_rhosts
|
|
|
44eea6 |
+ - sshd_allow_only_protocol2
|
|
|
44eea6 |
+ - sshd_set_loglevel_info
|
|
|
44eea6 |
+ - sshd_disable_empty_passwords
|
|
|
44eea6 |
+ - sshd_disable_user_known_hosts
|
|
|
44eea6 |
+ - sshd_enable_strictmodes
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+ ### Application whitelisting
|
|
|
44eea6 |
+ - package_fapolicyd_installed
|
|
|
44eea6 |
+ - service_fapolicyd_enabled
|
|
|
44eea6 |
+ - configure_fapolicyd_mounts
|
|
|
44eea6 |
+
|