This file contains additional notes about the CIS Benchmark for Red Hat.
You should use your provisioning service (kickstart/cobbler/etc) to start with a clean, functional baseline “Just Enough OS” installation. Not all recommendations in the Benchmark are implemented; by default not everything is enabled/installed or otherwise relevant on Red Hat Enterprise family distributions.
You should add mission critical services that are against the benchmark recommendation or non-default settings through additional cookbook recipes applied by specific roles.
None of the recipes apply the latest OS patches. It is presumed the system administrator will do so using yum update during a regularly scheduled maintenance window, or on an ad hoc basis with knife. For example:
knife ssh “platform:redhat” “sudo yum update -y”
However, some recipes may install packages using the “upgrade” action. Red Hat has a known reputation for only providing updates within a release cycle that are security fixes, and always maintaining backwards compatibility.
See above for provisioning clean base systems.
- PasswordAuthentication yes
Level II, no longer a requirement for CIS Benchmark. Also required ‘yes’ for Root login below.
- PermitRootLogin yes
Red Hat family distributions don’t by default create a user with privileged access besides root, so leave this enabled by default. If your environment sets up another user during the provisioning process or with a different Chef recipe, modify the sshd_config template.
- Banner /etc/issue.net
Discussed in more detail in Section 10.
Implements both sysstat and auditd.
Not applicable, xinetd is not installed by default.
Firewall configuration is out of scope for now. No additional action is taken outside the default of leaving iptables on. Opscode is working on a firewall cookbook to provide general LWRP for managing iptables rules.
TCP Wrappers are monolithic files and currently outside the scope of this cookbook.
Level II, not implemented.
See #3 above.
Sendmail has been replaced by postfix. Custom configuration for postfix should be done with a separate cookbook, for example:
http://community.opscode.com/cookbooks/postfix
Not applicable. GUI not installed by default.
Not applicable. XFS not installed by default.
Not applicable. This is already the default posture per above.
Not applicable. Samba not installed by default.
Not applicable. These services are not installed by default.
In the default disabled services list.
Not applicable. Printer daemon not enabled by default.
See above. Use a cookbook to enable HTTPD, e.g.:
http://community.opscode.com/cookbooks/apache2
Not applicable. SNMP is not installed by default.
See above. Use a cookbook to run a DNS server, e.g.:
http://community.opscode.com/cookbooks/djbdns http://community.opscode.com/cookbooks/unbound http://community.opscode.com/cookbooks/pdns http://community.opscode.com/cookbooks/maradns
BIND is conspicuously missing. It also has the worst security track record of any DNS service.
See above. Use a cookbook for the desired database if required, e.g.:
http://community.opscode.com/cookbooks/mysql http://community.opscode.com/cookbooks/postgresql
Or if “NoSQL” is your flavor: http://community.opscode.com/cookbooks/riak http://community.opscode.com/cookbooks/couchdb
Not applicable. Squid is not installed by default.
Not applicable. Kudzu is not enabled by default. HalD is already in the disabled services list.
Not applicable. IMAP is not installed by default.
Red Hat family distributions do not yet support an `/etc/sysctl.d` style of configuration.
The recipe will handle modifying these settings by execute statements, and they’re not checked for idempotence. /etc/sysctl.conf. For now that is out of scope for the recipes.
Strategies to resolve that may be to create an etc/sysctl.conf.d with specific settings in their own files, and then write out the master /etc/sysctl.conf by notification all wrapped up in a LWRP.
Or this cookbook might bolt on the functionality of `/etc/sysctl.d` borrowed from Debian/Ubuntu.
Use Opscode’s “ntp” cookbook for managing NTP on hosts. It is otherwise outside the scope of the CIS benchmark implementation.
Red Hat 6 uses rsyslog. Use the Opscode “rsyslog” cookbook to manage rsyslog on hosts. The cookbook includes capability to set up a remote loghost.
For log management and analysis, another tool such as logstash is recommended. The community provides a logstash cookbook that can be modified. Log management is outside the scope of this cookbook.
http://community.opscode.com/cookbooks/rsyslog http://community.opscode.com/cookbooks/ntp http://community.opscode.com/cookbooks/logstash
Management of the fstab file is presently outside the scope of this cookbook.
At some point in the future, this may be handled with the `mount` resource.
Not implemented. Red Hat 6 changed the entire model for configuration.
Not implemented. Sections 7.5 through 7.8 are presently outside the scope of this cookbook and should be handled through normal system auditing procedures.
Not implemented. Outside scope at this time. Plus cloud instances don’t have “USB Devices” :-).
Not applicable. PAM does not have rhosts support.
Not applicable. FTP is not enabled by default.
Not applicable. X11 is not installed by default.
atd is disabled above by default. If it is enabled (removed from disabled list and a specific recipe added?), only authorized users hould use it.
See above under SSH exceptions.
Not implemented. Currently out of scope.
Not implemented. Currently out of scope.
Not applicable. NFS is not installed by default.
Not applicable. Use `rsyslog` cookbook.
http://community.opscode.com/cookbooks/rsyslog
Various parts of this are out of scope and should be handled in a more general user management cookbook (of which Opscode makes “users” available, or “openldap”).
Account expiration is generally tied to password policies and varies by site. We recommend not using passwords at all, and only allow users to log into systems with SSH keys (handled by the aforementioned “users” cookbook for sysadmins, can be extended to other user types).
http://community.opscode.com/cookbooks/users http://community.opscode.com/cookbooks/sudo http://community.opscode.com/cookbooks/openldap
Change the node attribute `node[‘cis_benchmark’][‘company’]` to your company/organization name.
You may also want to create /etc/motd using the motd-tail cookbook:
http://community.opscode.com/cookbooks/motd-tail
Not applicable. X11 is not installed by default.