<div dir="ltr">I've found <a href="https://github.com/dev-sec/ansible-os-hardening">https://github.com/dev-sec/ansible-os-hardening</a> handy for improving OS-level security and getting better results from scans. They also have similar modules for apache, nginx, etc. <a href="https://dev-sec.io/">https://dev-sec.io/</a></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Sep 7, 2018 at 9:22 AM Scott Packard via SGVLUG <<a href="mailto:sgvlug@sgvlug.net">sgvlug@sgvlug.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">I've gotten into hardening RHEL6 and RHEL7 lately.<div>I've never seen that discussed on the list.</div><div><br></div><div>It comes with a tool from <a href="http://www.open-scap.org" target="_blank">www.open-scap.org</a>; unfortunately for my work</div><div>I have to put that aside and get a (download restricted) tool from <a href="http://iase.disa.mil" target="_blank">iase.disa.mil</a>.</div><div>The tool is restricted, but the content the tool uses is not.</div><div>To download the content, you'd select STIGs,
STIGs Master List (A to Z), and</div><div>look on the 2nd page for the Red Hat Benchmark .zip file appropriate for the</div><div>OS version.</div><div><br></div><div>I haven't compared content to see if they are similar; I believe they would be though.</div><div><a href="https://www.open-scap.org/getting-started/" target="_blank">https://www.open-scap.org/getting-started/</a> has a tutorial on how to get started.<br></div><div><br></div><div>You basically cycle through scanning a host, looking at the results, and follow</div><div>mostly well-written steps to apply hardening, and scan again.</div><div><br></div><div>I say mostly because there are some security features that it just wants to see on</div><div>but doesn't care how badly you shoot yourself in the foot with.</div><div><br></div><div>Those features are where the learning curve (and pain) are.</div><div><br></div><div>- iptables (netfilter), configured as deny by default, allow by explicit rule. Having</div><div>INPUT, OUTPUT, and FORWARD configured to DROP is different from most </div><div>examples you can google, and where you start to realize you can't admin by cookbook.</div><div><br></div><div>- SELinux (mandatory access control) set to enforcing</div><div>Here I'm still learning how to look for problems, correct them, how to test if the </div><div>correction is loaded, how to unload a policy, whether or not I need a reboot, etc.</div><div>For instance, I work with Centrify tools to make a host join a Windows domain,</div><div>and use their tools for centrally managing automounts. One of their perl scripts</div><div>was denied access to a auto.home.lck file. I looked at their knowledgebase and</div><div>found a KB with a .te file that was supposed to correct the denial, but when I compiled</div><div>the file and applied the profile I still saw a denial.</div><div>I'm not sure it was the 'exactly right' thing to do, but I changed the .te file to allow</div><div>ioctl rather than just { read write }, because the error message I was seeing was</div><div>ioctl was being denied, and that stopped the error messages from appearing.</div><div><br></div><div>- aide (tool to scan a host and record a db of it's config, then daily scan and report</div><div>any changes)</div><div><br></div><div>I don't think anybody gets into this area of RedHat unless they have a job requirement</div><div>for it. In my case, it's gov't. contractor work. It seems the payment card industry</div><div>uses this, with their own ruleset. But, the tools are all there, and it does make it</div><div>easier for the security folks to push their requirements and to verify they've been met.</div><div><br></div><div>Regards, Scott Packard</div><div><br></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Christopher Hicks<br><a href="http://www.chicks.net/" target="_blank">http://www.chicks.net/</a></div>