Configure System to CIS Benchmark for Hosts Standards

By default, StarlingX complies with the CIS Benchmark for hosts for most specifications. Some specifications outlined in the CIS Benchmark that are not met by default, StarlingX can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant CIS Benchmark specifications, along with the necessary StarlingX configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs.

AppArmor

Example Configuration for Compliance

You need to enable AppArmor. By default, AppArmor is disabled, but it can be enabled on a host using the CLI, as described in Enable/Disable AppArmor on a Host.

Note

Enabling AppArmor can result in some performance degradation, see StarlingX System Engineering Guidelines.

For testing purposes or as an example, refer to the following script, which contains commands to enable AppArmor as well as commands for an example AppArmor configuration.

/usr/local/bin/host-cis-benchmark-apparmor-setup.sh <host_name>

Auditd

Example Configuration for Compliance

StarlingX provides a containerized auditd solution, while CIS Benchmark checks auditd configuration and rules on the host. Your configuration can be applied as specified in the following steps.

Procedure

  1. Enable auditd in the Kernel.

    See Enable Auditd in the Kernel in Linux Auditing System documentation.

  2. Start the auditd system application.

    See Start Auditd System Application in Linux Auditing System documentation.

  3. Apply auditd configuration overrides.

    To align the system with CIS requirements, the auditd.conf configuration overrides should be applied to modify the default settings. These changes can be implemented using the system helm-override-update command following the procedure outlined in the Auditd Configuration Overrides section in Linux Auditing System documentation.

    Note

    The following auditd.conf file is for example or testing purposes only.

    auditdconf: |-
    ##########################################################################
    #
    # auditd.conf
    #
    ##########################################################################
    local_events = yes
    write_logs = yes
    log_file = /var/log/audit/audit.log
    log_group = root
    log_format = RAW
    flush = INCREMENTAL_ASYNC
    freq = 50
    max_log_file = 32
    num_logs = 5
    priority_boost = 4
    disp_qos = lossy
    dispatcher = /sbin/audispd
    name_format = NONE
    ##name = mydomain
    max_log_file_action = IGNORE
    space_left = 75
    space_left_action = halt
    ##verify_email = yes
    ##action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = halt
    disk_full_action = halt
    disk_error_action = halt
    use_libwrap = yes
    ##tcp_listen_port = 60
    ##tcp_listen_queue = 5
    ##tcp_max_per_addr = 1
    ##tcp_client_ports = 1024-65535
    ##tcp_client_max_idle = 0
    enable_krb5 = no
    krb5_principal = auditd
    ##krb5_key_file = /etc/audit/audit.key
    distribute_network = no
    overflow_action = halt
    auditdrules: |-
    ## First rule - delete all
    -D
    
    ## Increase the buffers to survive stress events.
    ## Make this bigger for busy systems
    -b 8192
    
    ## Set failure mode to syslog
    -f 1
    -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
    -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
    -w /etc/sudoers -p wa -k scope
    -w /etc/sudoers.d/ -p wa -k scope
    -w /var/run/utmp -p wa -k session
    -w /var/log/wtmp -p wa -k logins
    -w /var/log/btmp -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
    -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
    -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
    -w /etc/apparmor/ -p wa -k MAC-policy
    -w /etc/apparmor.d/ -p wa -k MAC-policy
    ##Ensure successful and unsuccessful attempts to use the chcon command are recorded
    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
    -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k kernel_modules
    -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
    -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
    -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
    -w /etc/localtime -p wa -k time-change
    -e 2
    ## Monitor successful and unsuccessful attempts to use the setfacl command
    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
    ## Monitor successful and unsuccessful attempts to use the chacl command
    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
    ## Monitor successful and unsuccessful attempts to use the usermod command
    -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod
    ## Monitor changes to system hostname and locale files
    -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
    -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
    -w /etc/issue -p wa -k system-locale
    -w /etc/issue.net -p wa -k system-locale
    -w /etc/hosts -p wa -k system-locale
    -w /etc/networks -p wa -k system-locale
    -w /etc/network/ -p wa -k system-locale
    -w /etc/netplan/ -p wa -k system-locale
    -a always,exit -F path=/sysroot -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/rltraceroute6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/ssh  -agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/ndisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/bin/rdisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/polkit  -agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/sbin/lldpcli -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged
    -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
    -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
    -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
    -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity
    -w /etc/nsswitch.conf -p wa -k identity
    -w /etc/pam.conf -p wa -k identity
    -w /etc/pam.d -p wa -k identity
    ## Monitor events where UID != EUID (i.e., when a process is executed with elevated privileges)
    -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
    -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
    -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    

Warning

Minor Warning:

The auditd system in StarlingX runs in a container. As the CIS scanning tools validate the configurations directly on the host (not within containers), all audit-related control points may be incorrectly reported as failed, even when the above steps are correctly configured.