Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify User Who Owns /etc/chrony.keys File
To properly set the owner of/etc/chrony.keys, run the command:$ sudo chown root /etc/chrony.keys
Rule Medium Severity -
Verify Permissions On /etc/chrony.keys File
To properly set the permissions of/etc/chrony.keys, run the command:$ sudo chmod 0640 /etc/chrony.keys
Rule Medium Severity -
Enable the Hardware RNG Entropy Gatherer Service
The Hardware RNG Entropy Gatherer service should be enabled. The <code>rngd</code> service can be enabled with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 ki...Rule Low Severity -
Install the Samba Common Package
Thesamba-commonpackage should be installed. Thesamba-commonpackage can be installed with the following command:$ sudo dnf install samba-common
Rule Medium Severity -
Uninstall net-snmp Package
Thenet-snmppackage provides the snmpd service. Thenet-snmppackage can be removed with the following command:$ sudo dnf remove net-snmp
Rule Unknown Severity -
Install the OpenSSH Server Package
Theopenssh-serverpackage should be installed. Theopenssh-serverpackage can be installed with the following command:$ sudo dnf install openssh-server
Rule Medium Severity -
Enable Smartcards in SSSD
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to <code>True</code> under the <code>[pam]</code> sec...Rule Medium Severity -
Disable SSH Server If Possible
Instead of using ssh to remotely log in to a cluster node, it is recommended to use <code>oc debug</code> The <code>sshd</code> service can be disabled with the following manifest: <pre> --- apiV...Rule High Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Remove SSH Server iptables Firewall exception (Unusual)
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. <br> <br> Edit the files <co...Rule Unknown Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...Rule Medium Severity -
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> files. <br> The default SSH configuration disables su...Rule Medium Severity -
Disable X11 Forwarding
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH...Rule Medium Severity -
Enable Public Key Authentication
Enable SSH login with public keys. <br> The default SSH configuration enables authentication based on public keys. The appropriate configuration is used if no value is set for <code>PubkeyAuthentic...Rule Medium Severity -
System Accounting with auditd
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settings for specific policies or use cases. The rules i...Group -
Enable the USBGuard Service
The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following manifest: <pre> --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig...Rule Medium Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_limit=8192</code> to all BLS (Boot Loader Specifica...Rule Medium Severity -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to all BLS (Boot Loader Specification) entries ('options' line) for t...Rule Medium Severity -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to wri...Group -
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
The audit system should collect write events to /etc/group file for all group and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/group
The audit system should collect write events to /etc/group file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rule...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
The audit system should collect write events to /etc/gshadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ru...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user and group. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner of <code>/var/log/audit</code>, run the command: <p...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
The audit system should collect write events to /etc/passwd file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via open syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
The audit system should collect write events to /etc/shadow file for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rul...Rule Medium Severity -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls in usr/share
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Ensure auditd Collects Information on Exporting to Media (successful)
At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read aud...Rule Medium Severity -
Record Attempts to Alter Process and Session Initiation Information
The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during d...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Events that Modify User/Group Information
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/group
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Audit Configuration Files Must Be Owned By Root
All audit configuration files must be owned by root user. To properly set the owner of <code>/etc/audit/</code>, run the command: <pre>$ sudo chown root /etc/audit/ </pre> To properly set the own...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/security/opasswd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/passwd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/shadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Access Events to Audit Log Directory
The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. <pre>-a always,exit -F dir=/var/log...Rule Medium Severity -
System Audit Logs Must Have Mode 0750 or Less Permissive
If <code>log_group</code> in <code>/etc/audit/auditd.conf</code> is set to a group other than the <code>root</code> group account, change the mode of the audit log files with the following command...Rule Medium Severity -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Record File Deletion Events by User
At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit r...Group -
Record Information on Kernel Modules Loading and Unloading
To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pr...Group -
Record Information on the Use of Privileged Commands
At a minimum, the audit system should collect the execution of privileged commands for all users and root.Group -
Records Events that Modify Date and Time Information
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All c...Group -
Ensure auditd Collects Information on Kernel Module Loading - init_module
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,ex...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Group -
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.