Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
with profile DRAFT - ANSSI-BP-028 (minimal)This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | DRAFT - ANSSI-BP-028 (minimal) |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_anssi_bp28_minimal |
Revision History
Current version: 0.1.62
- draft (as of 2022-07-07)
Platforms
- cpe:/o:redhat:enterprise_linux_coreos:4
Table of Contents
Checklist
contains 8 rules |
System SettingsgroupContains rules that check correct system settings. |
contains 7 rules |
Installing and Maintaining SoftwaregroupThe following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. |
contains 3 rules |
Sudogroup
|
contains 2 rules |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticateruleThe sudo Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
references: 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, IA-11, CM-6(a), SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, CCI-002038, 1, 12, 15, 16, 5, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, DSS05.04, DSS05.10, DSS06.03, DSS06.10, BP28(R5), BP28(R59), PR.AC-1, PR.AC-7, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDruleThe sudo Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
references: 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, IA-11, CM-6(a), SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, CCI-002038, 1, 12, 15, 16, 5, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, DSS05.04, DSS05.10, DSS06.03, DSS06.10, BP28(R5), BP28(R59), PR.AC-1, PR.AC-7, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 |
Updating SoftwaregroupThe |
contains 1 rule |
Ensure Red Hat GPG Key InstalledruleTo ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaseRationale: Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. identifiers: CCE-82754-3 references: 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CCI-001749, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, 3.4.8, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 11, 2, 3, 9, SRG-OS-000366-GPOS-00153, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, BP28(R15), SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, PR.DS-6, PR.DS-8, PR.IP-1, 5.10.4.1, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4 |
Account and Access ControlgroupIn traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under Red Hat Enterprise Linux CoreOS 4. |
contains 2 rules |
Protect Accounts by Restricting Password-Based LogingroupConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the |
contains 2 rules |
Set Password Expiration ParametersgroupThe file $ sudo chage -M 180 -m 7 -W 7 USER |
contains 2 rules |
Set Password Maximum AgeruleTo specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS 90A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 90 .Rationale:Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
references: 3.5.6, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 1, 12, 15, 16, 5, SRG-OS-000076-GPOS-00044, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 0418, 1055, 1402, BP28(R18), Req-8.2.4, PR.AC-1, PR.AC-6, PR.AC-7, 5.6.2.1, IA-5(f), IA-5(1)(d), CM-6(a) |
Set Password Minimum Length in login.defsruleTo specify password length requirements for new accounts, edit the file
PASS_MIN_LEN 18 The DoD requirement is 15 .
The FISMA requirement is 12 .
The profile requirement is
18 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.Rationale:Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. references: 3.5.7, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, CCI-000205, FMT_MOF_EXT.1, 1, 12, 15, 16, 5, SRG-OS-000078-GPOS-00046, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, BP28(R18), PR.AC-1, PR.AC-6, PR.AC-7, 5.6.2.1, IA-5(f), IA-5(1)(a), CM-6(a) |
Configure SysloggroupThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
|
contains 2 rules |
Ensure rsyslog is InstalledruleRsyslog is installed by default. The The rsyslog package provides the rsyslog daemon, which provides system logging services. references: 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 164.312(a)(2)(ii), A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, CCI-001311, CCI-001312, CCI-000366, FTP_ITC_EXT.1.1, 1, 14, 15, 16, 3, 5, 6, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, BP28(R5), NT28(R46), PR.PT-1, CM-6(a) |
Enable rsyslog ServiceruleThe --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: master name: 75-master-rsyslog-enable spec: config: ignition: version: 3.1.0 systemd: units: - name: rsyslog.service enabled: true
This will enable the
Note that this needs to be done for each For more information on how to configure nodes with the Machine Config Operator see the relevant documentation. Rationale:The references: 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 164.312(a)(2)(ii), CM-6(a), AU-4(1), SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, BP28(R5), NT28(R46), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1 |
ServicesgroupThe best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux CoreOS 4 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux CoreOS 4 system and provides guidance about which
ones can be safely disabled.
|
contains 1 rule |
Mail Server SoftwaregroupMail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that systems are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
|
contains 1 rule |
Uninstall Sendmail PackageruleSendmail is not the default mail transfer agent and is
not installed by default.
The The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. references: 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, CCI-000381, 11, 14, 3, 9, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, BP28(R1), PR.IP-1, PR.PT-3, CM-7(a), CM-7(b), CM-6(a) |