Configure System to CIS Benchmark for Hosts Standards

By default, StarlingX complies with the CIS Benchmark for hosts for most specifications. Some specifications outlined in the CIS Benchmark that are not met by default, StarlingX can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant CIS Benchmark specifications, along with the necessary StarlingX configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs.

AppArmor

Related AppArmor CIS Benchmark Specifications

• 1.3.1.2 Ensure AppArmor is enabled in the bootloader configuration. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:6150e4d8e2c36c243c64fe6c74da03ad

• 1.3.1.3 Ensure all AppArmor Profiles are in enforce or complain mode. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:789ae5507200d59bd348767c3991ada0

• 1.3.1.4 Ensure all AppArmor Profiles are enforcing.

Example Configuration for Compliance

You need to enable AppArmor. By default, AppArmor is disabled, but it can be enabled on a host using the CLI, as described in Enable/Disable AppArmor on a Host.

Note

Enabling AppArmor can result in some performance degradation, see StarlingX System Engineering Guidelines.

For testing purposes or as an example, refer to the following script, which contains commands to enable AppArmor as well as commands for an example AppArmor configuration.

/usr/local/bin/host-cis-benchmark-apparmor-setup.sh <host_name>

Auditd

Related Auditd CIS Benchmark Specifications

• 6.4.1.1 Ensure auditd packages are installed.

• 6.4.1.2 Ensure auditd service is enabled and active.

• 6.4.1.3 Ensure auditing for processes that start prior to auditd is enabled.

• 6.4.1.4 Ensure audit_backlog_limit is sufficient.

• 6.4.2.1 Ensure audit log storage size is configured.

• 6.4.2.2 Ensure audit logs are not automatically deleted.

• 6.4.2.3 Ensure system is disabled when audit logs are full.

• 6.4.2.4 Ensure system warns when audit logs are low on space.

• 6.4.3.1 Ensure changes to system administration scope (sudoers) is collected.

• 6.4.3.10 Ensure successful file system mounts are collected.

• 6.4.3.11 Ensure session initiation information is collected.

• 6.4.3.12 Ensure login and logout events are collected.

• 6.4.3.13 Ensure file deletion events by users are collected.

• 6.4.3.14 Ensure events that modify the system’s Mandatory Access Controls are collected.

• 6.4.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded.

• 6.4.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded.

• 6.4.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded.

• 6.4.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded.

• 6.4.3.19 Ensure kernel module loading unloading and modification is collected.

• 6.4.3.2 Ensure actions as another user are always logged.

• 6.4.3.20 Ensure the audit configuration is immutable.

• 6.4.3.4 Ensure events that modify date and time information are collected.

• 6.4.3.5 Ensure events that modify the system’s network environment are collected.

• 6.4.3.6 Ensure use of privileged commands are collected.

• 6.4.3.7 Ensure unsuccessful file access attempts are collected.

• 6.4.3.8 Ensure events that modify user/group information are collected.

• 6.4.3.9 Ensure discretionary access control permission modification events are collected.

• 6.4.4.1 Ensure audit log files mode is configured.

• 6.4.4.2 Ensure audit log files owner is configured.

• 6.4.4.4 Ensure the audit log file directory mode is configured.

Example Configuration for Compliance

StarlingX provides a containerized auditd solution, while CIS Benchmark checks auditd configuration and rules on the host. Your configuration can be applied as specified in the following steps.

Procedure

1. Enable auditd in the Kernel.

   See Enable Auditd in the Kernel in Linux Auditing System documentation.

2. Start the auditd system application.

   See Start Auditd System Application in Linux Auditing System documentation.

3. Apply auditd configuration overrides.

   To align the system with CIS requirements, the auditd.conf configuration overrides should be applied to modify the default settings. These changes can be implemented using the system helm-override-update command following the procedure outlined in the Auditd Configuration Overrides section in Linux Auditing System documentation.

   Note

   The following auditd.conf file is for example or testing purposes only.

   auditdconf: |-
   ##########################################################################
   #
   # auditd.conf
   #
   ##########################################################################
   local_events = yes
   write_logs = yes
   log_file = /var/log/audit/audit.log
   log_group = root
   log_format = RAW
   flush = INCREMENTAL_ASYNC
   freq = 50
   max_log_file = 32
   num_logs = 5
   priority_boost = 4
   disp_qos = lossy
   dispatcher = /sbin/audispd
   name_format = NONE
   ##name = mydomain
   max_log_file_action = IGNORE
   space_left = 75
   space_left_action = halt
   ##verify_email = yes
   ##action_mail_acct = root
   admin_space_left = 50
   admin_space_left_action = halt
   disk_full_action = halt
   disk_error_action = halt
   use_libwrap = yes
   ##tcp_listen_port = 60
   ##tcp_listen_queue = 5
   ##tcp_max_per_addr = 1
   ##tcp_client_ports = 1024-65535
   ##tcp_client_max_idle = 0
   enable_krb5 = no
   krb5_principal = auditd
   ##krb5_key_file = /etc/audit/audit.key
   distribute_network = no
   overflow_action = halt
   auditdrules: |-
   ## First rule - delete all
   -D
   
   ## Increase the buffers to survive stress events.
   ## Make this bigger for busy systems
   -b 8192
   
   ## Set failure mode to syslog
   -f 1
   -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
   -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
   -w /etc/sudoers -p wa -k scope
   -w /etc/sudoers.d/ -p wa -k scope
   -w /var/run/utmp -p wa -k session
   -w /var/log/wtmp -p wa -k logins
   -w /var/log/btmp -p wa -k logins
   -w /var/log/lastlog -p wa -k logins
   -w /var/run/faillock -p wa -k logins
   -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
   -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
   -w /etc/apparmor/ -p wa -k MAC-policy
   -w /etc/apparmor.d/ -p wa -k MAC-policy
   ##Ensure successful and unsuccessful attempts to use the chcon command are recorded
   -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
   -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k kernel_modules
   -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
   -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
   -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
   -w /etc/localtime -p wa -k time-change
   -e 2
   ## Monitor successful and unsuccessful attempts to use the setfacl command
   -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
   ## Monitor successful and unsuccessful attempts to use the chacl command
   -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
   ## Monitor successful and unsuccessful attempts to use the usermod command
   -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod
   ## Monitor changes to system hostname and locale files
   -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
   -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
   -w /etc/issue -p wa -k system-locale
   -w /etc/issue.net -p wa -k system-locale
   -w /etc/hosts -p wa -k system-locale
   -w /etc/networks -p wa -k system-locale
   -w /etc/network/ -p wa -k system-locale
   -w /etc/netplan/ -p wa -k system-locale
   -a always,exit -F path=/sysroot -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/rltraceroute6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/ssh  -agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/ndisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/bin/rdisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/polkit  -agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/sbin/lldpcli -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged
   -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
   -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
   -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
   -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
   -w /etc/passwd -p wa -k identity
   -w /etc/gshadow -p wa -k identity
   -w /etc/shadow -p wa -k identity
   -w /etc/security/opasswd -p wa -k identity
   -w /etc/nsswitch.conf -p wa -k identity
   -w /etc/pam.conf -p wa -k identity
   -w /etc/pam.d -p wa -k identity
   ## Monitor events where UID != EUID (i.e., when a process is executed with elevated privileges)
   -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
   -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
   -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
   -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
   -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
   -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
   -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
   -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
   

Warning

Minor Warning:

The auditd system in StarlingX runs in a container. As the CIS scanning tools validate the configurations directly on the host (not within containers), all audit-related control points may be incorrectly reported as failed, even when the above steps are correctly configured.