diff --git a/products/ol10/profiles/anssi_bp28_enhanced.profile b/products/ol10/profiles/anssi_bp28_enhanced.profile index a4d866b3dd6..bbaf1790f5b 100644 --- a/products/ol10/profiles/anssi_bp28_enhanced.profile +++ b/products/ol10/profiles/anssi_bp28_enhanced.profile @@ -1,42 +1,61 @@ documentation_complete: true -title: 'ANSSI-BP-028 (enhanced)' +title: 'DRAFT - ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening - level. ANSSI is the French National Information Security Agency, and stands for Agence - nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration - recommendation for GNU/Linux systems. + This is a draft profile for experimental purposes. + This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + selections: - anssi:all:enhanced - - '!partition_for_opt' - '!package_ypserv_removed' - '!accounts_passwords_pam_tally2_deny_root' - '!install_PAE_kernel_on_x86-32' - - '!partition_for_boot' - '!ensure_redhat_gpgkey_installed' - - '!sudo_add_ignore_dot' - - '!audit_rules_privileged_commands_rmmod' - - '!audit_rules_privileged_commands_modprobe' - '!package_dracut-fips-aesni_installed' - '!cracklib_accounts_password_pam_lcredit' - - '!partition_for_usr' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - - '!audit_rules_privileged_commands_insmod' - '!package_ypbind_removed' - - '!service_chronyd_or_ntpd_enabled' - - '!sudo_dedicated_group' - - '!chronyd_configure_pool_and_server' - '!accounts_passwords_pam_tally2' - '!cracklib_accounts_password_pam_ucredit' - '!accounts_passwords_pam_tally2_unlock_time' - '!sudo_add_umask' - - '!sudo_add_env_reset' - '!cracklib_accounts_password_pam_minlen' - '!cracklib_accounts_password_pam_dcredit' + # this rule is not automated anymore + - '!security_patches_up_to_date' + # There is only chrony package on OL 10, no ntpd + - '!service_chronyd_or_ntpd_enabled' + - 'service_chronyd_enabled' + # OL 10 unified the paths for grub2 files. These rules are selected in control file by R29. + - '!file_groupowner_efi_grub2_cfg' + - '!file_owner_efi_grub2_cfg' + - '!file_permissions_efi_grub2_cfg' + - '!file_groupowner_efi_user_cfg' + - '!file_owner_efi_user_cfg' + - '!file_permissions_efi_user_cfg' + # disable R45: Enable AppArmor security profiles + - '!apparmor_configured' + - '!all_apparmor_profiles_enforced' + - '!grub2_enable_apparmor' + - '!package_apparmor_installed' + - '!package_pam_apparmor_installed' + # these packages do not exist in ol10 (R62) + - '!package_dhcp_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' - '!package_xinetd_removed' + # There isn't 32 bits OL + - '!prefer_64bit_os' diff --git a/products/ol10/profiles/anssi_bp28_high.profile b/products/ol10/profiles/anssi_bp28_high.profile index 8b259582a62..dd05f43fcec 100644 --- a/products/ol10/profiles/anssi_bp28_high.profile +++ b/products/ol10/profiles/anssi_bp28_high.profile @@ -1,43 +1,71 @@ documentation_complete: true -title: 'ANSSI-BP-028 (high)' +title: 'DRAFT - ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the high hardening - level. ANSSI is the French National Information Security Agency, and stands for Agence - nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration - recommendation for GNU/Linux systems. + This is a draft profile for experimental purposes. + This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + selections: - anssi:all:high - - '!partition_for_opt' - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' - '!accounts_passwords_pam_tally2_deny_root' - '!install_PAE_kernel_on_x86-32' - - '!partition_for_boot' - '!ensure_redhat_gpgkey_installed' - '!aide_periodic_checking_systemd_timer' - - '!sudo_add_ignore_dot' - - '!audit_rules_privileged_commands_rmmod' - - '!audit_rules_privileged_commands_modprobe' - - '!partition_for_usr' - '!package_dracut-fips-aesni_installed' - '!cracklib_accounts_password_pam_lcredit' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - - '!audit_rules_privileged_commands_insmod' - '!package_ypbind_removed' - '!service_chronyd_or_ntpd_enabled' - - '!sudo_dedicated_group' - - '!chronyd_configure_pool_and_server' + - 'service_chronyd_enabled' - '!accounts_passwords_pam_tally2' - '!cracklib_accounts_password_pam_ucredit' - '!accounts_passwords_pam_tally2_unlock_time' - '!sudo_add_umask' - - '!sudo_add_env_reset' - '!cracklib_accounts_password_pam_minlen' - '!cracklib_accounts_password_pam_dcredit' + # this rule is not automated anymore + - '!security_patches_up_to_date' + # OL 10 unified the paths for grub2 files. These rules are selected in control file by R29. + - '!file_groupowner_efi_grub2_cfg' + - '!file_owner_efi_grub2_cfg' + - '!file_permissions_efi_grub2_cfg' + - '!file_groupowner_efi_user_cfg' + - '!file_owner_efi_user_cfg' + - '!file_permissions_efi_user_cfg' + # disable R45: Enable AppArmor security profiles + - '!apparmor_configured' + - '!all_apparmor_profiles_enforced' + - '!grub2_enable_apparmor' + - '!package_apparmor_installed' + - '!package_pam_apparmor_installed' + # these packages do not exist in ol10 (R62) + - '!package_dhcp_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' - '!package_xinetd_removed' + # There isn't 32 bits OL + - '!prefer_64bit_os' + # These rules are no longer relevant + - '!kernel_config_devkmem' + - '!kernel_config_hardened_usercopy_fallback' + - '!kernel_config_page_poisoning_no_sanity' + - '!kernel_config_page_poisoning_zero' + - '!kernel_config_page_table_isolation' + - '!kernel_config_refcount_full' + - '!kernel_config_retpoline' + - '!kernel_config_security_writable_hooks' diff --git a/products/ol10/profiles/anssi_bp28_intermediary.profile b/products/ol10/profiles/anssi_bp28_intermediary.profile index 29553954a90..dfe2cdda3b6 100644 --- a/products/ol10/profiles/anssi_bp28_intermediary.profile +++ b/products/ol10/profiles/anssi_bp28_intermediary.profile @@ -1,20 +1,23 @@ documentation_complete: true -title: 'ANSSI-BP-028 (intermediary)' +title: 'DRAFT - ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening - level. ANSSI is the French National Information Security Agency, and stands for Agence - nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration - recommendation for GNU/Linux systems. + This is a draft profile for experimental purposes. + This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + selections: - anssi:all:intermediary - '!package_ypbind_removed' - - '!partition_for_opt' - '!cracklib_accounts_password_pam_minlen' - '!package_ypserv_removed' - '!accounts_passwords_pam_tally2_deny_root' @@ -22,13 +25,17 @@ selections: - '!cracklib_accounts_password_pam_ucredit' - '!cracklib_accounts_password_pam_dcredit' - '!cracklib_accounts_password_pam_lcredit' - - '!partition_for_usr' - - '!partition_for_boot' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - '!accounts_passwords_pam_tally2_unlock_time' - '!ensure_redhat_gpgkey_installed' - '!sudo_add_umask' - - '!sudo_add_ignore_dot' - - '!sudo_add_env_reset' + # this rule is not automated anymore + - '!security_patches_up_to_date' + # these packages do not exist in ol10 (R62) + - '!package_dhcp_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' - '!package_xinetd_removed' diff --git a/products/ol10/profiles/anssi_bp28_minimal.profile b/products/ol10/profiles/anssi_bp28_minimal.profile index 6c959b6f22c..c0d5b952e18 100644 --- a/products/ol10/profiles/anssi_bp28_minimal.profile +++ b/products/ol10/profiles/anssi_bp28_minimal.profile @@ -1,27 +1,39 @@ documentation_complete: true -title: 'ANSSI-BP-028 (minimal)' +title: 'DRAFT - ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening - level. ANSSI is the French National Information Security Agency, and stands for Agence - nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration - recommendation for GNU/Linux systems. + This is a draft profile for experimental purposes. + This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + selections: - - anssi:all:minimal - - '!package_ypbind_removed' - - '!cracklib_accounts_password_pam_minlen' - - '!package_ypserv_removed' - - '!accounts_passwords_pam_tally2_deny_root' - - '!accounts_passwords_pam_tally2' - - '!cracklib_accounts_password_pam_ucredit' - - '!cracklib_accounts_password_pam_dcredit' - - '!cracklib_accounts_password_pam_lcredit' - - '!cracklib_accounts_password_pam_ocredit' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!ensure_redhat_gpgkey_installed' - - '!package_xinetd_removed' + - anssi:all:minimal + - '!package_ypbind_removed' + - '!cracklib_accounts_password_pam_minlen' + - '!package_ypserv_removed' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2' + - '!cracklib_accounts_password_pam_ucredit' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_ocredit' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!ensure_redhat_gpgkey_installed' + - '!security_patches_up_to_date' + # these packages do not exist in ol10 (R62) + - '!package_dhcp_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_sendmail_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' diff --git a/products/ol10/profiles/e8.profile b/products/ol10/profiles/e8.profile new file mode 100644 index 00000000000..fbd6f9e5090 --- /dev/null +++ b/products/ol10/profiles/e8.profile @@ -0,0 +1,32 @@ +documentation_complete: true + +reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +title: 'DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight' + +description: |- + This is a draft profile for experimental purposes. + + This draft profile contains configuration checks for Oracle Linux 10 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the + ACSC website: + + https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +selections: + - e8:all + + - '!ensure_redhat_gpgkey_installed' + - ensure_oracle_gpgkey_installed + + - var_system_crypto_policy=default_policy + # these packages do not exist in OL 10 + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!security_patches_up_to_date' diff --git a/products/ol10/profiles/hipaa.profile b/products/ol10/profiles/hipaa.profile new file mode 100644 index 00000000000..f259e962b15 --- /dev/null +++ b/products/ol10/profiles/hipaa.profile @@ -0,0 +1,62 @@ +documentation_complete: true + +reference: https://www.hhs.gov/hipaa/for-professionals/index.html + +title: 'DRAFT - Health Insurance Portability and Accountability Act (HIPAA)' + +description: |- + This is a draft profile for experimental purposes. + + The HIPAA Security Rule establishes U.S. national standards to protect individuals's + electronic personal health information that is created, received, used, or + maintained by a covered entity. The Security Rule requires appropriate + administrative, physical and technical safeguards to ensure the + confidentiality, integrity, and security of electronic protected health + information. + + This draft profile configures Oracle Linux 10 to the HIPAA Security + Rule identified for securing of electronic protected health information. + Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +selections: + - hipaa:all + + - '!ensure_redhat_gpgkey_installed' + - ensure_oracle_gpgkey_installed + + # Conflicts with sshd_set_keepalive + - '!sshd_set_keepalive_0' + + - '!coreos_disable_interactive_boot' + - '!coreos_audit_option' + - '!coreos_nousb_kernel_argument' + - '!coreos_enable_selinux_kernel_argument' + - '!dconf_gnome_remote_access_credential_prompt' + - '!dconf_gnome_remote_access_encryption' + - '!ensure_suse_gpgkey_installed' + - '!ensure_fedora_gpgkey_installed' + - '!grub2_uefi_admin_username' + - '!grub2_uefi_pass' + - '!service_ypbind_disabled' + - '!service_zebra_disabled' + - '!package_talk-server_removed' + - '!package_talk_removed' + - '!sshd_use_approved_macs' + - '!sshd_use_approved_ciphers' + - '!accounts_passwords_pam_tally2' + - '!package_audit-audispd-plugins_installed' + - '!auditd_audispd_syslog_plugin_activated' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!service_rexec_disabled' + - '!service_rsh_disabled' + - '!package_tcp_wrappers_removed' + - '!package_ypbind_removed' + - '!package_xinetd_removed' + - '!service_xinetd_disabled' + - '!sshd_allow_only_protocol2' + - '!sshd_disable_kerb_auth' + - '!sshd_disable_gssapi_auth' diff --git a/products/ol10/profiles/ism_o.profile b/products/ol10/profiles/ism_o.profile new file mode 100644 index 00000000000..38cfa6d0c73 --- /dev/null +++ b/products/ol10/profiles/ism_o.profile @@ -0,0 +1,76 @@ +documentation_complete: true + +reference: https://www.cyber.gov.au/ism + +title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Base' + +description: |- + This is a draft profile for experimental purposes. + + This draft profile contains configuration checks for Oracle Linux 10 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). + + The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning + Oracle Linux security controls with the ISM, which can be used to select controls + specific to an organisation's security posture and risk profile. + + A copy of the ISM can be found at the ACSC website: + + https://www.cyber.gov.au/ism + +extends: e8 + +selections: + - ism_o:all:base + + # these rules do not work properly on OL 10 for now + - '!enable_dracut_fips_module' + - '!firewalld_sshd_port_enabled' + - '!require_singleuser_auth' + + # lastlog is not used in OL 10 + - '!audit_rules_login_events_lastlog' + + # Setting any nondefault, so a specific driver is expected + # using the same as in STIG + - var_smartcard_drivers=cac + + # ISM 0418,1055,1402 + # Rule is for authconfig not used in OL10 + - "!enable_ldap_client" + # Not applicable to OL10 due to krb5-server version + - "!kerberos_disable_no_keytab" + + # ISM 1386 + # Configuration not available in OL10 + - "!force_opensc_card_drivers" + + # ISM 1277,1552 + # Not applicable to OL10 as per openssl man page + - "!openssl_use_strong_entropy" + + # ISM 0988,1405 + # Always use chronyd + - "!service_chronyd_or_ntpd_enabled" + + # ISM 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + # pam_tally2 is not available in OL10 + - "!accounts_passwords_pam_tally2_deny_root" + - "!accounts_passwords_pam_tally2_unlock_time" + - '!audit_rules_login_events_tallylog' + + # ISM 0582,0846 + # These rules are not implemented in OL10 + - "!audit_access_failed_aarch64" + - "!audit_access_failed_ppc64le" + - "!audit_access_success_aarch64" + - "!audit_access_success_ppc64le" + + # Doesn't cover the expected requirement + # 1319 "Static addressing is not used..." + - "!network_ipv6_static_address" + + # ISM 1467,1483,1493 + # Packages not available in OL + - "!package_libdnf-plugin-subscription-manager_installed" + - "!package_subscription-manager_installed" diff --git a/products/ol10/profiles/ism_o_secret.profile b/products/ol10/profiles/ism_o_secret.profile new file mode 100644 index 00000000000..351b5d70742 --- /dev/null +++ b/products/ol10/profiles/ism_o_secret.profile @@ -0,0 +1,76 @@ +documentation_complete: true + +reference: https://www.cyber.gov.au/ism + +title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Secret' + +description: |- + This is a draft profile for experimental purposes. + + This draft profile contains configuration checks for Oracle Linux 10 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). + + The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning + Oracle Linux security controls with the ISM, which can be used to select controls + specific to an organisation's security posture and risk profile. + + A copy of the ISM can be found at the ACSC website: + + https://www.cyber.gov.au/ism + +extends: e8 + +selections: + - ism_o:all:secret + + # these rules do not work properly on OL 10 for now + - '!enable_dracut_fips_module' + - '!firewalld_sshd_port_enabled' + - '!require_singleuser_auth' + + # lastlog is not used in OL 10 + - '!audit_rules_login_events_lastlog' + + # Setting any nondefault, so a specific driver is expected + # using the same as in STIG + - var_smartcard_drivers=cac + + # ISM 0418,1055,1402 + # Rule is for authconfig not used in OL10 + - "!enable_ldap_client" + # Not applicable to OL10 due to krb5-server version + - "!kerberos_disable_no_keytab" + + # ISM 1386 + # Configuration not available in OL10 + - "!force_opensc_card_drivers" + + # ISM 1277,1552 + # Not applicable to OL10 as per openssl man page + - "!openssl_use_strong_entropy" + + # ISM 0988,1405 + # Always use chronyd + - "!service_chronyd_or_ntpd_enabled" + + # ISM 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + # pam_tally2 is not available in OL10 + - "!accounts_passwords_pam_tally2_deny_root" + - "!accounts_passwords_pam_tally2_unlock_time" + - '!audit_rules_login_events_tallylog' + + # ISM 0582,0846 + # These rules are not implemented in OL10 + - "!audit_access_failed_aarch64" + - "!audit_access_failed_ppc64le" + - "!audit_access_success_aarch64" + - "!audit_access_success_ppc64le" + + # Doesn't cover the expected requirement + # 1319 "Static addressing is not used..." + - "!network_ipv6_static_address" + + # ISM 1467,1483,1493 + # Packages not available in OL + - "!package_libdnf-plugin-subscription-manager_installed" + - "!package_subscription-manager_installed" diff --git a/products/ol10/profiles/ism_o_top_secret.profile b/products/ol10/profiles/ism_o_top_secret.profile new file mode 100644 index 00000000000..b198c4ddc8c --- /dev/null +++ b/products/ol10/profiles/ism_o_top_secret.profile @@ -0,0 +1,76 @@ +documentation_complete: true + +reference: https://www.cyber.gov.au/ism + +title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Top Secret' + +description: |- + This is a draft profile for experimental purposes. + + This draft profile contains configuration checks for Oracle Linux 10 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM). + + The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning + Oracle Linux security controls with the ISM, which can be used to select controls + specific to an organisation's security posture and risk profile. + + A copy of the ISM can be found at the ACSC website: + + https://www.cyber.gov.au/ism + +extends: e8 + +selections: + - ism_o:all:top_secret + + # these rules do not work properly on OL 10 for now + - '!enable_dracut_fips_module' + - '!firewalld_sshd_port_enabled' + - '!require_singleuser_auth' + + # lastlog is not used in OL 10 + - '!audit_rules_login_events_lastlog' + + # Setting any nondefault, so a specific driver is expected + # using the same as in STIG + - var_smartcard_drivers=cac + + # ISM 0418,1055,1402 + # Rule is for authconfig not used in OL10 + - "!enable_ldap_client" + # Not applicable to OL10 due to krb5-server version + - "!kerberos_disable_no_keytab" + + # ISM 1386 + # Configuration not available in OL10 + - "!force_opensc_card_drivers" + + # ISM 1277,1552 + # Not applicable to OL10 as per openssl man page + - "!openssl_use_strong_entropy" + + # ISM 0988,1405 + # Always use chronyd + - "!service_chronyd_or_ntpd_enabled" + + # ISM 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + # pam_tally2 is not available in OL10 + - "!accounts_passwords_pam_tally2_deny_root" + - "!accounts_passwords_pam_tally2_unlock_time" + - '!audit_rules_login_events_tallylog' + + # ISM 0582,0846 + # These rules are not implemented in OL10 + - "!audit_access_failed_aarch64" + - "!audit_access_failed_ppc64le" + - "!audit_access_success_aarch64" + - "!audit_access_success_ppc64le" + + # Doesn't cover the expected requirement + # 1319 "Static addressing is not used..." + - "!network_ipv6_static_address" + + # ISM 1467,1483,1493 + # Packages not available in OL + - "!package_libdnf-plugin-subscription-manager_installed" + - "!package_subscription-manager_installed" diff --git a/products/ol10/profiles/ospp.profile b/products/ol10/profiles/ospp.profile new file mode 100644 index 00000000000..7700c1efee7 --- /dev/null +++ b/products/ol10/profiles/ospp.profile @@ -0,0 +1,19 @@ +documentation_complete: false + +reference: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=469&id=469 + +title: 'DRAFT - Protection Profile for General Purpose Operating Systems' + +description: |- + This is draft profile is based on the Oracle Linux 9 Common Criteria Guidance as + guidance for Oracle Linux 10 was not available at the time of release. + + + Where appropriate, CNSSI 1253 or DoD-specific values are used for + configuration, based on Configuration Annex to the OSPP. + +selections: + - ospp:all + + - '!package_screen_installed' + - '!package_dnf-plugin-subscription-manager_installed' diff --git a/products/ol10/profiles/pci-dss.profile b/products/ol10/profiles/pci-dss.profile new file mode 100644 index 00000000000..c54c3fe8b24 --- /dev/null +++ b/products/ol10/profiles/pci-dss.profile @@ -0,0 +1,70 @@ +documentation_complete: true + +reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf + +title: 'DRAFT - PCI-DSS v4.0.1 Control Baseline for Oracle Linux 10' + +description: |- + This is a draft profile for experimental purposes. + + Payment Card Industry - Data Security Standard (PCI-DSS) is a set of + security standards designed to ensure the secure handling of payment card + data, with the goal of preventing data breaches and protecting sensitive + financial information. + + This draft profile ensures Oracle Linux 10 is configured in alignment + with PCI-DSS v4.0.1 requirements. + +selections: + - pcidss_4:all + - var_password_hashing_algorithm=yescrypt + - var_password_hashing_algorithm_pam=yescrypt + + # these rules do not apply to OL 10 + - '!package_audit-audispd-plugins_installed' + - '!package_dhcp_removed' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + + - '!service_ntp_enabled' + - '!service_ntpd_enabled' + - '!service_timesyncd_enabled' + - '!ntpd_specify_remote_server' + - '!ntpd_specify_multiple_servers' + + - '!accounts_passwords_pam_tally2' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_retry' + - '!ensure_firewall_rules_for_open_ports' + - '!ensure_shadow_group_empty' + - '!ensure_suse_gpgkey_installed' + - '!install_PAE_kernel_on_x86-32' + - '!mask_nonessential_services' + - '!nftables_ensure_default_deny_policy' + - '!set_ipv6_loopback_traffic' + - '!set_ip6tables_default_rule' + - '!set_loopback_traffic' + - '!set_password_hashing_algorithm_commonauth' + + # Following are incompatible with the ol10 product + - '!service_chronyd_or_ntpd_enabled' + - '!aide_periodic_checking_systemd_timer' + - '!gnome_gdm_disable_unattended_automatic_login' + - '!permissions_local_var_log' + - '!sshd_use_strong_kex' + - '!sshd_use_approved_macs' + - '!sshd_use_approved_ciphers' + - '!security_patches_up_to_date' + - '!kernel_module_dccp_disabled' + + # Add oracle gpg key rule + - 'ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' diff --git a/products/ol10/profiles/stig.profile b/products/ol10/profiles/stig.profile new file mode 100644 index 00000000000..622fb2d36d5 --- /dev/null +++ b/products/ol10/profiles/stig.profile @@ -0,0 +1,17 @@ +documentation_complete: true + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DRAFT - DISA STIG for Oracle Linux 10' + +description: |- + This is a draft profile for experimental purposes. + It is not based on the DISA STIG for OL 10, because it was not available at time of + the release. + +selections: + - srg_gpos:all + - var_accounts_authorized_local_users_regex=ol9 + - '!enable_dracut_fips_module' + # Package not available in OL10 + - '!package_subscription-manager_installed' diff --git a/products/ol10/profiles/stig_gui.profile b/products/ol10/profiles/stig_gui.profile new file mode 100644 index 00000000000..c01cd37a4bf --- /dev/null +++ b/products/ol10/profiles/stig_gui.profile @@ -0,0 +1,29 @@ +documentation_complete: true + +metadata: + SMEs: + - mab879 + + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DRAFT - DISA STIG for Oracle Linux 10' + +description: |- + This is a draft profile for experimental purposes. + It is not based on the DISA STIG for OL 10, because it was not available at time of + the release. + +extends: stig + +selections: + - '!xwindows_remove_packages' + + - '!xwindows_runlevel_target' + + - '!package_nfs-utils_removed' + + # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese + - '!sysctl_user_max_user_namespaces' + # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant + - '!logind_session_timeout'