source-git / openscap

Clone
Source Code
GIT

Files

  1.   696f156261837e1bc5fb4a0f32a8f2a7339bec21
  2.   tests
  3.   memory
  4.   ssg-rhel8-oom-tailoring.xml
Blob Blame History Raw 
<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
  <xccdf:benchmark href="/tmp/scap-workbench-KaINxd/ssg-rhel8-ds.xml"/>
  <xccdf:version time="2020-04-08T10:47:51">1</xccdf:version>
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_oom" extends="xccdf_org.ssgproject.content_profile_e8">
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Australian Cyber Security Centre (ACSC) Essential Eight [CUSTOMIZED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains configuration checks for Red Hat Enterprise Linux 8
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the
ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments</xccdf:description>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_print_last_log" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_zebra_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_quagga_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_talk_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_xinetd_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_squid_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_squid_removed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_name_format" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_local_events" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_log_format" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_freq" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_write_logs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sudo_require_authentication" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_configure_crypto_policy" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_firewalld_installed" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_network" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_updating" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_accounts-restrictions" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_auditd_configure_rules" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_auditing" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh_server" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_ssh" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_services" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_integrity" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_software" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_system" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_files" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_permissions" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" selected="true"/>
  </xccdf:Profile>
</xccdf:Tailoring>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation