Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile ANSSI DAT-NT28 (minimal)Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
This benchmark is a direct port of a SCAP Security Guide benchmark developed for Red Hat Enterprise Linux. It has been modified through an automated process to remove specific dependencies on Red Hat Enterprise Linux and to function with Scientifc Linux. The result is a generally useful SCAP Security Guide benchmark with the following caveats:
- Scientifc Linux is not an exact copy of Red Hat Enterprise Linux. Scientific Linux is a Linux distribution produced by Fermi National Accelerator Laboratory. It is a free and open source operating system based on Red Hat Enterprise Linux and aims to be "as close to the commercial enterprise distribution as we can get it." There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.
- Scientifc Linux is derived from the free and open source software made available by Red Hat, but it is not produced, maintained or supported by Red Hat. Scientifc Linux has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. Scientifc Linux does not inherit certifications or evaluations from Red Hat Enterprise Linux. As such, some configuration rules (such as those requiring FIPS 140-2 encryption) will continue to fail on Scientifc Linux.
Members of the Scientifc Linux community are invited to participate in OpenSCAP and SCAP Security Guide development. Bug reports and patches can be sent to GitHub: https://github.com/OpenSCAP/scap-security-guide. The mailing list is at https://fedorahosted.org/mailman/listinfo/scap-security-guide.
Profile Title | ANSSI DAT-NT28 (minimal) |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_anssi_nt28_minimal |
Revision History
Current version: 0.1.38
- draft (as of 2018-03-05)
Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Table of Contents
Checklist
contains 8 rules | ||||||||||||||||||||||||
System Settings [ref]groupContains rules that check correct system settings. | ||||||||||||||||||||||||
contains 8 rules | ||||||||||||||||||||||||
Installing and Maintaining Software [ref]groupThe following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. | ||||||||||||||||||||||||
contains 2 rules | ||||||||||||||||||||||||
Sudo [ref]group
| ||||||||||||||||||||||||
contains 2 rules | ||||||||||||||||||||||||
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD [ref]rule
The sudo
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
Severity: medium References: SV-86571r1_rule | ||||||||||||||||||||||||
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate [ref]rule
The sudo
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
Severity: medium References: SV-86573r2_rule | ||||||||||||||||||||||||
File Permissions and Masks [ref]groupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
$ mount -t xfs | awk '{print $3}'For any systems that use a different local filesystem type, modify this command as appropriate. | ||||||||||||||||||||||||
contains 4 rules | ||||||||||||||||||||||||
Verify Permissions on Important Files and Directories [ref]groupPermissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. | ||||||||||||||||||||||||
contains 4 rules | ||||||||||||||||||||||||
Verify Permissions on Files with Local Account Information and Credentials [ref]groupThe default restrictive permissions for files which act as
important security databases such as | ||||||||||||||||||||||||
contains 4 rules | ||||||||||||||||||||||||
Verify Permissions on shadow File [ref]rule
To properly set the permissions of $ sudo chmod 0000 /etc/shadowRationale: The Severity: medium
| ||||||||||||||||||||||||
Verify Permissions on group File [ref]rule
To properly set the permissions of $ sudo chmod 644 /etc/groupRationale: The Severity: medium
| ||||||||||||||||||||||||
Verify Permissions on gshadow File [ref]rule
To properly set the permissions of $ sudo chmod 0000 /etc/gshadowRationale: The Severity: medium
| ||||||||||||||||||||||||
Verify Permissions on passwd File [ref]rule
To properly set the permissions of $ sudo chmod 0644 /etc/passwdRationale: If the Severity: medium
| ||||||||||||||||||||||||
Configure Syslog [ref]groupThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
| ||||||||||||||||||||||||
contains 2 rules | ||||||||||||||||||||||||
Ensure rsyslog is Installed [ref]rule
Rsyslog is installed by default.
The $ sudo yum install rsyslogRationale: The rsyslog package provides the rsyslog daemon, which provides system logging services. Severity: medium References: AU-9(2), CCI-001311, CCI-001312, 4.2.3, NT28(R5), NT28(R46), 164.312(a)(2)(ii), A.12.3.1
| ||||||||||||||||||||||||
Enable rsyslog Service [ref]ruleThe $ sudo systemctl enable rsyslog.serviceRationale: The Severity: medium References: AU-4(1), AU-12, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.2.1.1, NT28(R5), NT28(R46), 164.312(a)(2)(ii), A.12.3.1
|