Definition of Australian Cyber Security Centre (ACSC) for rhel10

patching: Application and operating system patching

Description: None

Levels:

• base

Automated: yes

Selections:

• dnf-automatic_security_updates_only: Configure dnf-automatic to Install Only Security Updates
• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories
• ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed
• package_rsh-server_removed: Uninstall rsh-server Package
• package_rsh_removed: Uninstall rsh Package
• package_squid_removed: Uninstall squid Package
• package_talk-server_removed: Uninstall talk-server Package
• package_talk_removed: Uninstall talk Package
• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients
• package_ypbind_removed: Remove NIS Client
• security_patches_up_to_date: Ensure Software Patches Installed
• service_avahi-daemon_disabled: Disable Avahi Server Software
• service_squid_disabled: Disable Squid
• service_telnet_disabled: Disable telnet Service

mfa: Multi-factor authentication

Description: None

Levels:

• base

Automated: no

No rules selected

restrict_admin: Restricting administrative privileges

Description: None

Levels:

• base

Automated: no

Selections:

• accounts_no_uid_except_zero: Verify Only Root Has UID 0
• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
• sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo

app_control: Application control

Description: None

Levels:

• base

Automated: no

Selections:

• package_fapolicyd_installed: Install fapolicyd Package
• service_fapolicyd_enabled: Enable the File Access Policy Service

restrict_macros: Restrict Microsoft Office macros

Description: None

Levels:

• base

Automated: no

No rules selected

app_hardening: User application hardening

Description: None

Levels:

• base

Automated: no

No rules selected

backups: Regular backups

Description: None

Levels:

• base

Automated: no

No rules selected

hardening: General hardening of Red Hat Enterprise Linux 10

Description: None

Levels:

• base

Automated: no

Selections:

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_restorecon: Record Any Attempts to Run restorecon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_execution_seunshare: Record Any Attempts to Run seunshare
• audit_rules_kernel_module_loading: Ensure auditd Collects Information on Kernel Module Loading and Unloading
• audit_rules_login_events: Record Attempts to Alter Logon and Logout Events
• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog
• audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment
• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
• audit_rules_time_clock_settime: Record Attempts to Alter Time Through clock_settime
• audit_rules_time_settimeofday: Record attempts to alter time through settimeofday
• audit_rules_time_stime: Record Attempts to Alter Time Through stime
• audit_rules_time_watch_localtime: Record Attempts to Alter the localtime File
• audit_rules_usergroup_modification: Record Events that Modify User/Group Information
• auditd_data_retention_flush: Configure auditd flush priority
• auditd_freq: Set number of records to cause an explicit flush to audit logs
• auditd_local_events: Include Local Events in Audit Logs
• auditd_log_format: Resolve information before writing to audit logs
• auditd_name_format: Set type of computer node name logging in audit logs
• auditd_write_logs: Write Audit Logs to the Disk
• configure_crypto_policy: Configure System Cryptography Policy
• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy
• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set
• enable_authselect: Enable authselect
• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership
• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership
• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions
• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions
• file_permissions_unauthorized_sgid: Ensure All SGID Executables Are Authorized
• file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized
• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist
• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm
• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm
• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm
• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer
• no_empty_passwords: Prevent Login to Accounts With Empty Password
• package_firewalld_installed: Install firewalld Package
• package_rsyslog_installed: Ensure rsyslog is Installed
• rpm_verify_hashes: Verify File Hashes with RPM
• rpm_verify_ownership: Verify and Correct Ownership with RPM
• rpm_verify_permissions: Verify and Correct File Permissions with RPM
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing
• service_auditd_enabled: Enable auditd Service
• service_firewalld_enabled: Verify firewalld Enabled
• service_rsyslog_enabled: Enable rsyslog Service
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication
• sshd_disable_rhosts: Disable SSH Support for .rhosts Files
• sshd_disable_root_login: Disable SSH Root Login
• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts
• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options
• sshd_enable_strictmodes: Enable Use of Strict Mode Checking
• sshd_print_last_log: Enable SSH Print Last Log
• sshd_set_loglevel_info: Set LogLevel to INFO
• sshd_use_directory_configuration: Distribute the SSH Server configuration to multiple files in a config directory.
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_exec_shield: Enable ExecShield via sysctl
• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading
• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space
• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes
• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes
• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler
• var_auditd_flush = incremental_async
• var_authselect_profile = sssd
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing
• var_system_crypto_policy = default_nosha1