Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Ism profile to OL9 #12346

Merged
merged 4 commits into from
Aug 28, 2024
Merged

Add Ism profile to OL9 #12346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a17c3e0
Create ism profile for OL9
Xeicker Aug 23, 2024
93b1278
Update ism control
Xeicker Aug 23, 2024
8414c0a
Update comments in OL9 ISM profile
Xeicker Aug 27, 2024
e5ad97d
Update OL9 ism_o profile comment
Xeicker Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion controls/ism_o.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,15 @@ controls:
- sshd_set_max_auth_tries
- sssd_enable_smartcards
status: automated

- id: '0484'
title: 'SSH daemon configuration'
levels:
- base
rules:
- disable_host_auth
- sshd_enable_warning_banner
- sshd_disable_x11_forwarding
status: partial
- id: '0487'
title: 'Passwordless SSH Connections Configuration'
levels:
Expand Down Expand Up @@ -429,6 +437,7 @@ use of device access control software or by disabling external communication int
- base
rules:
- sshd_allow_only_protocol2
- file_permissions_sshd_private_key
status: partial
notes: |-
This needs more
Expand Down
65 changes: 65 additions & 0 deletions products/ol9/profiles/ism_o.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
documentation_complete: true

reference: https://www.cyber.gov.au/ism

title: 'Australian Cyber Security Centre (ACSC) ISM Official'

description: |-
This profile contains configuration checks for Oracle Linux 9
that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
Oracle Linux security controls with the ISM, which can be used to select controls
specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism

extends: e8

selections:
- ism_o:all:top_secret

# Setting any nondefault, so a specific driver is expected
# using the same as in STIG
- var_smartcard_drivers=cac

# ISM 0418,1055,1402
# Rule is for authconfig not used in
- "!enable_ldap_client"
# Not applicable to OL9 due to krb5-server version
- "!kerberos_disable_no_keytab"

# ISM 1386
# Configuration not available in OL9
- "!force_opensc_card_drivers"

# ISM 1277,1552
# Not applicable to OL9 as per openssl man page
- "!openssl_use_strong_entropy"

# ISM 0988,1405
# Always use chronyd
- "!service_chronyd_or_ntpd_enabled"

# ISM 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
# pam_tally2 is not available in OL9
- "!accounts_passwords_pam_tally2_deny_root"
- "!accounts_passwords_pam_tally2_unlock_time"

# ISM 0582,0846
# These rules is not implemented in OL9
- "!audit_access_failed_aarch64"
- "!audit_access_failed_ppc64le"
- "!audit_access_success_aarch64"
- "!audit_access_success_ppc64le"

# Doesn't cover the expected requirement
# 1319 "Static addressing is not used..."
- "!network_ipv6_static_address"

# ISM 1467,1483,1493
# Packages not available in OL
- "!package_libdnf-plugin-subscription-manager_installed"
- "!package_subscription-manager_installed"
Loading