ocp4-cis-api-server-encryption-provider-cipher
Set spec.encryption.type to 'aescbc' in apiserver config
Configure the Encryption Provider Cipher
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
* Secrets
* ConfigMaps
* Routes
* OAuth access tokens
* OAuth authorize tokens
When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.
To ensure the correct cipher, set the encryption type to aescbc or aesgcm in the apiserver object which configures the API server itself.
spec:
encryption:
type: aescbc
For more information, follow the relevant documentation ( https://docs.openshift.com/container-platform/latest/security/encrypting-etcd.html ).
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-audit-log-forwarding-enabled
Configure ClusterLogForwarder for audit log shipping
Ensure that Audit Log Forwarding Is Enabled
OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The cluster-logging-operator is able to do this with the
ClusterLogForwarders
resource. The forementioned resource can be configured to logs to different third party systems. For more information on this, please reference the official documentation: https://docs.openshift.com/container-platform/latest/observability/logging/logging-6.0/log6x-clf.html
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-audit-profile-set
Configure API server audit profile in cluster config
Ensure that the cluster's audit profile is properly set
OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities.
In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:
The request line containing:
* A Unique ID allowing to match the response line (see #2)
* The source IP of the request
* The HTTP method being invoked
* The original user invoking the operation
* The impersonated user for the operation (self meaning himself)
* The impersonated group for the operation (lookup meaning user's group)
* The namespace of the request or none
* The URI as requested
The response line containing:
* The aforementioned unique ID
* The response code
For more information on how to configure the audit profile, please visit the documentation ( https://docs.openshift.com/container-platform/latest/security/audit-log-policy-config.html )
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-idp-is-configured
Configure OAuth identity provider for authentication
Configure An Identity Provider
For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. Understanding authentication | Authentication | OpenShift Container Platform ( https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html )
The OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. Understanding identity provider configuration | Authentication | OpenShift Container Platform ( https://docs.openshift.com/container-platform/4.6/authentication/understanding-identity-provider.html )
OpenShift includes built-in role based access control (RBAC) to determine whether a user is allowed to perform a given action within the cluster. Roles can have cluster scope or local (i.e. project) scope. Using RBAC to define and apply permissions | Authentication | OpenShift Container Platform ( https://docs.openshift.com/container-platform/4.6/authentication/using-rbac.html )
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-ingress-controller-tls-cipher-suites
Configure strong TLS ciphers in IngressController spec
Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers
Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-kubeadmin-removed
Delete kubeadmin secret: oc delete secret kubeadmin -n kube-system
Ensure that the kubeadmin secret has been removed
The kubeadmin user is meant to be a temporary user used for bootstrapping purposes. It is preferable to assign system administrators whose users are backed by an Identity Provider.
Make sure to remove the user as described in the documentation ( https://docs.openshift.com/container-platform/latest/authentication/remove-kubeadmin.html )
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-ocp-allowed-registries
Set spec.registrySources.allowedRegistries in image.config.openshift.io
Allowed registries are configured
The configuration registrySources.allowedRegistries determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ensures that all registries other than those specified are blocked. You can set the allowed repositories by applying the following manifest using
oc patch
, e.g. if you save the following snippet to
/tmp/allowed-registries-patch.yaml
spec:
registrySources:
allowedRegistries:
- my-trusted-registry.internal.example.com
you would call
oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-registries-patch.yaml)" --type=merge
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-cis-ocp-allowed-registries-for-import
Set spec.allowedRegistriesForImport in image.config.openshift.io
Allowed registries for import are configured
The configuration allowedRegistriesForImport limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a malicious registry can then import content which claims to include the SHAs of legitimate content layers. You can set the allowed repositories for import by applying the following manifest using
oc patch
, e.g. if you save the following snippet to
/tmp/allowed-import-registries-patch.yaml
spec:
allowedRegistriesForImport:
- domainName: my-trusted-registry.internal.example.com
insecure: false
you would call
oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-import-registries-patch.yaml)" --type=merge
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-e8-api-server-encryption-provider-cipher
Set spec.encryption.type to 'aescbc' in apiserver config
Configure the Encryption Provider Cipher
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
* Secrets
* ConfigMaps
* Routes
* OAuth access tokens
* OAuth authorize tokens
When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.
To ensure the correct cipher, set the encryption type to aescbc or aesgcm in the apiserver object which configures the API server itself.
spec:
encryption:
type: aescbc
For more information, follow the relevant documentation ( https://docs.openshift.com/container-platform/latest/security/encrypting-etcd.html ).
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-e8-ocp-allowed-registries
Set spec.registrySources.allowedRegistries in image.config.openshift.io
Allowed registries are configured
The configuration registrySources.allowedRegistries determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ensures that all registries other than those specified are blocked. You can set the allowed repositories by applying the following manifest using
oc patch
, e.g. if you save the following snippet to
/tmp/allowed-registries-patch.yaml
spec:
registrySources:
allowedRegistries:
- my-trusted-registry.internal.example.com
you would call
oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-registries-patch.yaml)" --type=merge
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
ocp4-e8-ocp-allowed-registries-for-import
Set spec.allowedRegistriesForImport in image.config.openshift.io
Allowed registries for import are configured
The configuration allowedRegistriesForImport limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a malicious registry can then import content which claims to include the SHAs of legitimate content layers. You can set the allowed repositories for import by applying the following manifest using
oc patch
, e.g. if you save the following snippet to
/tmp/allowed-import-registries-patch.yaml
spec:
allowedRegistriesForImport:
- domainName: my-trusted-registry.internal.example.com
insecure: false
you would call
oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-import-registries-patch.yaml)" --type=merge
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-dac-modification-chmod
Add audit rule: -a always,exit -S chmod -F auid>=1000 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-dac-modification-chown
Add audit rule: -a always,exit -S chown -F auid>=1000 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-chcon
Add audit rule: -a always,exit -F path=/usr/bin/chcon -F key=privileged
Record Any Attempts to Run chcon
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-restorecon
Add audit rule: -a always,exit -F path=/usr/sbin/restorecon -F key=privileged
Record Any Attempts to Run restorecon
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-semanage
Add audit rule: -a always,exit -F path=/usr/sbin/semanage -F key=privileged
Record Any Attempts to Run semanage
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-setfiles
Add audit rule: -a always,exit -F path=/usr/sbin/setfiles -F key=privileged
Record Any Attempts to Run setfiles
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-setsebool
Add audit rule: -a always,exit -F path=/usr/sbin/setsebool -F key=privileged
Record Any Attempts to Run setsebool
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-execution-seunshare
Add audit rule: -a always,exit -F path=/usr/sbin/seunshare -F key=privileged
Record Any Attempts to Run seunshare
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-kernel-module-loading-delete
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-kernel-module-loading-finit
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S finit_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-kernel-module-loading-init
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Loading - init_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-login-events
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-login-events-faillock
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - faillock
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/run/faillock -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-login-events-lastlog
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - lastlog
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/log/lastlog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-login-events-tallylog
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - tallylog
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/log/tallylog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-networkconfig-modification
Add audit rules for network configuration changes
Record Events that Modify the System's Network Environment
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d , setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-sysadmin-actions
Add audit rule: -w /etc/sudoers -p wa -k actions
Ensure auditd Collects System Administrator Actions
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/sudoers.d/ -p wa -k actions
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-time-adjtimex
Add audit rules for time-change events
Record attempts to alter time through adjtimex
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-time-clock-settime
Add audit rules for time-change events
Record Attempts to Alter Time Through clock_settime
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-time-settimeofday
Add audit rules for time-change events
Record attempts to alter time through settimeofday
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-time-stime
Add audit rules for time-change events
Record Attempts to Alter Time Through stime
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-time-watch-localtime
Add audit rules for time-change events
Record Attempts to Alter the localtime File
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/localtime -p wa -k audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-audit-rules-usergroup-modification
Add audit rules for user/group modification events
Record Events that Modify User/Group Information
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d , in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-auditd-name-format
Set type to of
Set type of computer node name logging in audit logs
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-master-sshd-disable-gssapi-auth
Set GSSAPIAuthentication no in sshd_config
Disable GSSAPI Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
GSSAPIAuthentication no
|
❌
FAIL
|
CNF-19031
|
#466
|
In Progress
|
rhcos4-e8-master-sshd-disable-user-known-hosts
Set IgnoreUserKnownHosts yes in sshd_config
Disable SSH Support for User Known Hosts
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
IgnoreUserKnownHosts yes
|
❌
FAIL
|
CNF-19031
|
#466
|
In Progress
|
rhcos4-e8-master-sysctl-kernel-randomize-va-space
Configure kernel.randomize.va.space via sysctl
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.randomize_va_space = 2
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-master-sysctl-kernel-unprivileged-bpf-disabled
Set kernel.unprivileged_bpf_disabled=1 via sysctl
Disable Access to Network bpf() Syscall From Unprivileged Processes
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.unprivileged_bpf_disabled = 1
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-master-sysctl-kernel-yama-ptrace-scope
Set kernel.yama.ptrace_scope=1 via sysctl
Restrict usage of ptrace to descendant processes
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.yama.ptrace_scope = 1
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-master-sysctl-net-core-bpf-jit-harden
Set net.core.bpf_jit_harden=2 via sysctl
Harden the operation of the BPF just-in-time compiler
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
net.core.bpf_jit_harden = 2
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-worker-audit-rules-dac-modification-chmod
Add audit rule: -a always,exit -S chmod -F auid>=1000 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-dac-modification-chown
Add audit rule: -a always,exit -S chown -F auid>=1000 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-chcon
Add audit rule: -a always,exit -F path=/usr/bin/chcon -F key=privileged
Record Any Attempts to Run chcon
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-restorecon
Add audit rule: -a always,exit -F path=/usr/sbin/restorecon -F key=privileged
Record Any Attempts to Run restorecon
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-semanage
Add audit rule: -a always,exit -F path=/usr/sbin/semanage -F key=privileged
Record Any Attempts to Run semanage
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-setfiles
Add audit rule: -a always,exit -F path=/usr/sbin/setfiles -F key=privileged
Record Any Attempts to Run setfiles
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-setsebool
Add audit rule: -a always,exit -F path=/usr/sbin/setsebool -F key=privileged
Record Any Attempts to Run setsebool
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-execution-seunshare
Add audit rule: -a always,exit -F path=/usr/sbin/seunshare -F key=privileged
Record Any Attempts to Run seunshare
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-kernel-module-loading-delete
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-kernel-module-loading-finit
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S finit_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-kernel-module-loading-init
Configure audit rules in /etc/audit/rules.d
Ensure auditd Collects Information on Kernel Module Loading - init_module
To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch= ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-login-events
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-login-events-faillock
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - faillock
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/run/faillock -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-login-events-lastlog
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - lastlog
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/log/lastlog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-login-events-tallylog
Add audit rules for login events in /etc/audit/rules.d
Record Attempts to Alter Logon and Logout Events - tallylog
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /var/log/tallylog -p wa -k logins
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-networkconfig-modification
Add audit rules for network configuration changes
Record Events that Modify the System's Network Environment
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d , setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-sysadmin-actions
Add audit rule: -w /etc/sudoers -p wa -k actions
Ensure auditd Collects System Administrator Actions
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/sudoers.d/ -p wa -k actions
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-time-adjtimex
Add audit rules for time-change events
Record attempts to alter time through adjtimex
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-time-clock-settime
Add audit rules for time-change events
Record Attempts to Alter Time Through clock_settime
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-time-settimeofday
Add audit rules for time-change events
Record attempts to alter time through settimeofday
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-time-stime
Add audit rules for time-change events
Record Attempts to Alter Time Through stime
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix.rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-time-watch-localtime
Add audit rules for time-change events
Record Attempts to Alter the localtime File
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d :
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules :
-w /etc/localtime -p wa -k audit_time_rules
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-audit-rules-usergroup-modification
Add audit rules for user/group modification events
Record Events that Modify User/Group Information
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d , in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-auditd-name-format
Set type to of
Set type of computer node name logging in audit logs
To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.
|
❌
FAIL
|
-
|
-
|
Not Tracked
|
rhcos4-e8-worker-sshd-disable-gssapi-auth
Set GSSAPIAuthentication no in sshd_config
Disable GSSAPI Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
GSSAPIAuthentication no
|
❌
FAIL
|
CNF-19031
|
#466
|
In Progress
|
rhcos4-e8-worker-sshd-disable-user-known-hosts
Set IgnoreUserKnownHosts yes in sshd_config
Disable SSH Support for User Known Hosts
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf :
IgnoreUserKnownHosts yes
|
❌
FAIL
|
CNF-19031
|
#466
|
In Progress
|
rhcos4-e8-worker-sysctl-kernel-randomize-va-space
Configure kernel.randomize.va.space via sysctl
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.randomize_va_space = 2
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-worker-sysctl-kernel-unprivileged-bpf-disabled
Set kernel.unprivileged_bpf_disabled=1 via sysctl
Disable Access to Network bpf() Syscall From Unprivileged Processes
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.unprivileged_bpf_disabled = 1
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-worker-sysctl-kernel-yama-ptrace-scope
Set kernel.yama.ptrace_scope=1 via sysctl
Restrict usage of ptrace to descendant processes
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
kernel.yama.ptrace_scope = 1
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|
rhcos4-e8-worker-sysctl-net-core-bpf-jit-harden
Set net.core.bpf_jit_harden=2 via sysctl
Harden the operation of the BPF just-in-time compiler
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
net.core.bpf_jit_harden = 2
|
❌
FAIL
|
CNF-21196
|
-
|
On Hold
|