Step 3: Load and apply hardening profile
The following rules, when applied, carry some risks with system operation under specific operating conditions and might be rolled back to default by the operator after thorough assessment:
• CCE-83700-5: Configure auditd admin_space_left Action on Low Disk Space
• CCE-83701-3: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• CCE-83703-9: Configure auditd space_left Action on Low Disk Space
→ They will affect the following settings when applied (comparison of applied and default):
CIS hardened | default |
|---|---|
max_log_file = 6 | max_log_file = 8 |
max_log_file_action = keep_logs | max_log_file_action = ROTATE |
space_left_action = email | space_left_action = SYSLOG |
admin_space_left_action = halt | admin_space_left_action = SUSPEND |
• CCE-83450-7: Configure System Cryptography Policy (disable-SHA1)
→ can affect secure communication to FOX61x nodes which are provisioned with existing public keys.
→ In case communication is lost, enable ssh_rsa public keys by running
/opt/nem/bin/private/reconfigure_nem and select option 2 when prompted:
2) Change ESW support: to LEGACY.
/opt/nem/bin/private/reconfigure_nem and select option 2 when prompted:
2) Change ESW support: to LEGACY.
The following rule(s), when applied, will lock user accounts when the CIS scan is run after FOXMAN-UN installation:
• CCE-86113-8: xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts
As nemadm and dirac have user IDs less than 1000 (i.e., 199 and 200, respectively), these users will be locked if the scan is run after FOXMAN-UN installation.
→ If this rule is applied, only run the scan before installing FOXMAN-UN.
• CCE-83627-0 Set Account Expiration Following Inactivity
→ Before applying hardening, change the root password.
This Step 3 is supported by loading an RPM (ssg-rhel9-ds-hitachienergy-nms-customizations-17.1.1-1.noarch.rpm), which includes a FOXMAN-UN adapted CIS profile.
This profile defines a baseline that aligns to the “Level 2 - Server” configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™, v2.0.0, released 2024-06-24, for the following rules which are not applied:
• For FOXMAN-UN, DIRAC, and Quantis crypto key generator:
− CCE-83543-9 Ensure Users Re-Authenticate for Privilege Escalation - sudo
− CCE-83623-9 Ensure that System Accounts Do Not Run a Shell Upon Login
− CCE-83689-0 Ensure System Log Files Have Correct Permissions
− CCE-83946-4 Ensure Log Files Are Owned By Appropriate User
− CCE-83834-2 Ensure Log Files Are Owned By Appropriate Group
− CCE-83895-3 Verify that All World-Writable Directories Have Sticky Bits Set
− CCE-84104-9 Remove the X Windows Package Group
− CCE-84105-6 Disable X Windows Startup By Setting Default TargeT
− CCE-90828-5 Ensure the Default Umask is Set Correctly in /etc/profile
− CCE-83644-5 Ensure the Default Bash Umask is Set Correctly
− CCE-83851-6 Disable Modprobe Loading of USB Storage Driver
− CCE-83549-6 Remove the GDM Package Group
Preconditions for loading and applying the hardening profile:
• Server / VM set up and loaded & updated with the RHEL 9.6.
• Disk partition and mountpoints according to the previous chapter.
• Admin & root accounts and privileges given.
• Customized profile RPM available on the system.
The hardening procedure is done according to the official RedHat hardening guide: