{"id": "bsi_sys_1_3_rhcos4", "policy": "BSI-SYS-1-3-RHCOS4", "title": "SYS.1.3 Linux Server (RHCOS)", "source": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/bsi_sys_1_3_rhcos4.yml", "controls": [{"id": "SYS.1.3.A1", "levels": ["basic"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A2", "levels": ["basic"], "notes": "Section 2: System accounts do not always have a group Section 4: is a manual control Section 5: this cant be checked on a per system base, and therefore is an organizational control", "title": "Careful Allocation of IDs", "description": "(1) Each login name, each user ID (UID) and each group ID (GID) MUST ONLY be used once. (2) Every user MUST be a member of at least one group. (3) Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. (4) Every group SHOULD only contain the users that are absolutely necessary. (5) In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name", "gid_passwd_group_same", "group_unique_id", "group_unique_name", "account_unique_id"], "controls": []}, {"id": "SYS.1.3.A3", "levels": ["basic"], "notes": "https://access.redhat.com/solutions/18978", "title": "No Automatic Integration of Removable Drives", "description": "(1) Removable media such as USB pen drives or CDs/DVDs MUST NOT be integrated automatically.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "service_autofs_disabled", "grub2_nousb_argument", "bios_disable_usb_boot", "coreos_nousb_kernel_argument"], "controls": []}, {"id": "SYS.1.3.A4", "levels": ["basic"], "notes": "This should be the default on all modern platforms Section 2: organizational requirement towards the admin", "title": "Protection from Exploitation of Vulnerabilities in Applications", "description": "(1) ASLR and DEP/NX MUST be activated in the kernel and used by applications to make it harder to exploit vulnerabilities in applications. (2) Security functions of the kernel and of the standard libraries (such as heap and stack protection) MUST NOT be disabled.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_pti_kernel_argument", "selinux_not_disabled", "package_libselinux_installed", "coreos_page_poison_kernel_argument", "bios_enable_execution_restrictions", "grub2_enable_selinux", "sysctl_kernel_randomize_va_space", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "SYS.1.3.A5", "levels": ["basic"], "notes": "This requirement must be implemented organizationally.", "title": "Secure Installation of Software Packages", "description": "(1) If software to be installed is to be compiled from source code, it MUST ONLY be unpacked, configured, and compiled using an unprivileged user account. (2) The software to be installed MUST NOT then be installed in the root file system of the server in question in an uncontrolled manner.\n(3) If the software is compiled from the source text, the selected parameters SHOULD be documented appropriately. (4) Based on this documentation, it SHOULD be possible to compile the software in a transparent and reproducible manner at any time. (5) All further installation steps SHOULD also be documented.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A6", "levels": ["standard"], "notes": "This requirement must be implemented organizationally. We add auditing rules for these files, which shows edits, but do not prevent the users in the toolings they use for editing.", "title": "Managing Users and Groups", "description": "(1) The corresponding management tools SHOULD be used for managing users and groups. (2) The configuration files /etc/passwd, /etc/shadow, /etc/group, and /etc/sudoers SHOULD NOT be edited directly.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "SYS.1.3.A7", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A8", "levels": ["standard"], "notes": "Section 1: this should be the default. We do not add the sshd_allow_only_protocol2 rule, as RHCOS ships with a openssh-server version, which doesnt support other protocols anyway. Checking for an option without effect does not provide any value. Section 2: this should be the default Section 3: The requirement says PRIMARILY use certificate, not disallow PasswordAuthentication completely. But since the disabled root login is the default, we use this as known good. RHCOS Context: A more secure variant would be to disable SSH completely. As it is not always needed, since MachineConfigs can configure the local machine.", "title": "Encrypted Access via Secure Shell", "description": "(1) Only Secure Shell (SSH) SHOULD be used to create an encrypted and authenticated interactive connection between two IT systems. (2) All other protocols whose functions are covered by Secure Shell SHOULD be disabled completely. (3) For authentication, users SHOULD primarily use certificates instead of passwords.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords", "sshd_disable_root_login", "package_telnet_removed", "package_telnet-server_removed", "service_sshd_enabled", "sshd_enable_pubkey_auth"], "controls": []}, {"id": "SYS.1.3.A9", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A10", "levels": ["standard"], "notes": "Section 2: we could add podman specific tasks, but it would be hard to evaluate if they are used properly", "title": "Preventing Further Intrusion When Vulnerabilities Are Exploited", "description": "(1) Services and applications SHOULD be protected with individual security architecture (e.g. with AppArmor or SELinux). (2) In addition, chroot environments and LXC or Docker containers SHOULD be taken into account here. (3) It SHOULD be ensured that the standard profiles and rules provided are activated.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_not_disabled", "package_libselinux_installed", "selinux_confinement_of_daemons", "grub2_enable_selinux", "selinux_state", "selinux_policytype", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "SYS.1.3.A11", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A12", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A13", "levels": ["elevated"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A14", "levels": ["standard"], "notes": "Section 2: This requirement must be implemented organizationally.", "title": "Preventing Unauthorised Collection of System and User Information", "description": "(1) Information output for users regarding the operating system and access to protocol and configuration files SHOULD be limited to the required minimum. (2) Moreover, confidential information SHOULD NOT be provided as parameters when commands are issued.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_group", "file_groupowner_efi_user_cfg", "file_permissions_etc_shells", "file_ownership_audit_binaries", "file_permissions_backup_etc_gshadow", "file_owner_etc_passwd", "file_permissions_backup_etc_group", "file_owner_user_cfg", "file_permissions_sshd_private_key", "file_owner_backup_etc_shadow", "file_permissions_backup_etc_shadow", "file_permissions_home_directories", "file_permissions_audit_configuration", "file_groupownership_sshd_private_key", "file_owner_grub2_cfg", "file_groupowner_etc_issue", "file_groupowner_etc_motd", "file_owner_etc_issue_net", "file_group_ownership_var_log_audit", "file_groupowner_backup_etc_gshadow", "file_owner_backup_etc_gshadow", "file_permissions_user_cfg", "file_groupowner_grub2_cfg", "file_groupowner_backup_etc_group", "file_permissions_unauthorized_sgid", "file_owner_backup_etc_group", "file_groupowner_backup_etc_shadow", "file_permissions_etc_gshadow", "file_groupowner_etc_passwd", "file_groupowner_etc_gshadow", "file_groupowner_etc_shadow", "file_owner_etc_shells", "file_groupowner_user_cfg", "file_owner_etc_issue", "file_permissions_unauthorized_world_writable", "file_groupowner_etc_group", "file_permissions_audit_binaries", "file_permissions_sshd_config", "file_groupowner_efi_grub2_cfg", "file_permissions_etc_issue", "file_ownership_audit_configuration", "file_permissions_unauthorized_suid", "file_owner_etc_shadow", "file_groupownership_audit_binaries", "file_owner_efi_user_cfg", "file_groupowner_etc_shells", "file_owner_etc_motd", "file_groupowner_sshd_config", "file_permissions_var_log_audit", "file_groupownership_audit_configuration", "file_groupownership_home_directories", "file_permissions_grub2_cfg", "file_permissions_etc_motd", "file_owner_sshd_config", "file_permissions_efi_grub2_cfg", "file_permissions_etc_issue_net", "file_ownership_sshd_pub_key", "file_owner_etc_gshadow", "file_groupowner_etc_issue_net", "file_permissions_sshd_pub_key", "file_groupownership_sshd_pub_key", "file_permissions_efi_user_cfg", "file_ownership_home_directories", "file_ownership_var_log_audit", "file_owner_efi_grub2_cfg", "file_permissions_etc_shadow", "file_owner_backup_etc_passwd", "file_permissions_etc_passwd", "file_permissions_etc_group", "file_groupowner_backup_etc_passwd", "file_ownership_sshd_private_key", "file_permissions_ungroupowned", "file_permissions_backup_etc_passwd"], "controls": []}, {"id": "SYS.1.3.A15", "levels": ["elevated"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A16", "levels": ["elevated"], "notes": "In OpenShift this can be done utilizing the Security Profiles Operator. This is done on the OCP Layer and not on the RHCOS4 Layer.", "title": "Additional Prevention of Further Intrusion When Vulnerabilities Are Exploited", "description": "(1) The use of system calls SHOULD be limited to those absolutely necessary, particularly for exposed services and applications. (2) The standard profiles and/or rules (e.g. of SELinux or AppArmor) SHOULD be checked manually and, if necessary, adapted to an organisation's own security policies. (3) If necessary, new rules and profiles SHOULD be drawn up.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.3.A17", "levels": ["elevated"], "notes": "Section 1: Red Hat does not provide specifically hardened kernels. If using them, please be aware of the support policy for 3rd Party software (https://access.redhat.com/third-party-software-support).", "title": "Additional Kernel Protection", "description": "(1) Specially hardened kernels (e.g. grsecurity, PaX) and appropriate protective safeguards such as memory protection or file system protection SHOULD be implemented to prevent exploitation of vulnerabilities and propagation in operating systems.", "rationale": null, "automated": "no", "status": "does not meet", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "basic", "inherits_from": null}, {"id": "standard", "inherits_from": ["basic"]}, {"id": "elevated", "inherits_from": ["standard"]}]}