Skip to content
Log In

DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
    Show

  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.
    Group
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...
    Group
    Show

  • Software Integrity Checking

    Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...
    Group
    Show

  • Verify Integrity with RPM

    The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...
    Group
    Show

  • Verify File Hashes with RPM

    Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...
    Rule High Severity
    Show

  • System Cryptographic Policies

    Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy applicable for the various cryptographic back-ends, ...
    Group
    Show

  • Configure System Cryptography Policy

    To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"></xccdf-1.2:sub></code...
    Rule High Severity
    Show

  • Configure SSH to use System Crypto Policy

    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that C...
    Rule Medium Severity
    Show

  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...
    Group
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

    The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...
    Rule Medium Severity
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

    The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code...
    Rule Medium Severity
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo

    The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making ...
    Rule Medium Severity
    Show

  • Updating Software

    The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administration...
    Group
    Show

  • Configure dnf-automatic to Install Only Security Updates

    To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> under <code>[commands]</code> section in <code>/etc/dn...
    Rule Low Severity
    Show

  • Ensure gpgcheck Enabled In Main dnf Configuration

    The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check package signatures before installing them, ensure the ...
    Rule High Severity
    Show

  • Ensure gpgcheck Enabled for Local Packages

    <code>dnf</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>dnf</code> to verify signatures of local packages, set the <code>localpk...
    Rule High Severity
    Show

  • Ensure gpgcheck Enabled for All dnf Package Repositories

    To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
    gpgcheck=0
    Rule High Severity
    Show

  • Ensure Red Hat GPG Key Installed

    To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. T...
    Rule High Severity
    Show

  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...
    Group
    Show

  • Enable authselect

    Configure user authentication setup to use the <code>authselect</code> tool. If authselect profile is selected, the rule will enable the <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var...
    Rule Medium Severity
    Show

  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...
    Group
    Show

  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...
    Group
    Show

  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...
    Rule High Severity
    Show

  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...
    Group
    Show

  • Verify Only Root Has UID 0

    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. <br> If the account is asso...
    Rule High Severity
    Show

  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...
    Group
    Show

  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
     $ sudo dnf install rsyslog
    Rule Medium Severity
    Show

  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 10. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo sy...
    Rule Medium Severity
    Show

  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
    Show

  • Ensure System is Not Acting as a Network Sniffer

    The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuou...
    Rule Medium Severity
    Show

  • firewalld

    The dynamic firewall daemon <code>firewalld</code> provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections an...
    Group
    Show

  • Inspect and Activate Default firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. <code>NetworkManager</code>...
    Group
    Show

  • Install firewalld Package

    The firewalld package can be installed with the following command: 
    $ sudo dnf install firewalld
    Rule Medium Severity
    Show

  • Verify firewalld Enabled

    The firewalld service can be enabled with the following command: 
    $ sudo systemctl enable firewalld.service
    Rule Medium Severity
    Show

  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...
    Group
    Show

  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...
    Group
    Show

  • Verify that All World-Writable Directories Have Sticky Bits Set

    When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...
    Rule Medium Severity
    Show

  • Ensure All SGID Executables Are Authorized

    The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not install...
    Rule Medium Severity
    Show

  • Ensure All SUID Executables Are Authorized

    The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installe...
    Rule Medium Severity
    Show

  • Ensure No World-Writable Files Exist

    It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor f...
    Rule Medium Severity
    Show

  • Verify File Permissions Within Some Important Directories

    Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. A...
    Group
    Show

  • Verify that System Executables Have Root Ownership

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should be ...
    Rule Medium Severity
    Show

  • Verify that Shared Library Files Have Root Ownership

    System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...
    Rule Medium Severity
    Show

  • Verify that System Executables Have Restrictive Permissions

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should not...
    Rule Medium Severity
    Show

  • Verify that Shared Library Files Have Restrictive Permissions

    System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...
    Rule Medium Severity
    Show

  • Restrict Partition Mount Options

    System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fstab</code> configuration file, and can be used to m...
    Group
    Show

  • Add nodev Option to /dev/shm

    The <code>nodev</code> mount option can be used to prevent creation of device files in <code>/dev/shm</code>. Legitimate character and block devices should not exist within temporary directories li...
    Rule Medium Severity
    Show

  • Add noexec Option to /dev/shm

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/dev/shm</code>. It can be dangerous to allow the execution of binaries from world-writable tem...
    Rule Medium Severity
    Show

  • Add nosuid Option to /dev/shm

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/dev/shm</code>. The SUID and SGID permissions should not be required in these world-writable dire...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules