CIS Hardening Verification RHEL 7.X

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Manual Replication For Specific Range of Data
- Back
Appendices
- Adding a Disaster Recovery Backup (DRB) Node to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the DRB Node
  - Step #3 on the EXISTING server
  - Step #4 on the DRB node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Prerequisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

Below table provides the sections of CIS hardening benchmark for RedHat Enterprise Linux (RHEL) 7.x that are covered by the script and the files being created/modified to address the recommendations.

NOTE: Screenshots are included for sections where the difference can be noticed to verify the implementation of CIS script.

CIS Sections	File Created/Modified
Section 1
1.1.1.1 Ensure mounting of cramfs filesystems is disabled	/etc/modprobe.d/CIS.conf
1.1.1.2 Ensure mounting of squashfs filesystems is disabled	/etc/modprobe.d/CIS.conf
1.1.1.3 Ensure mounting of udf filesystems is disabled	/etc/modprobe.d/CIS.conf
Pre-CIS	Post-CIS
1.1.3 Ensure noexec option set on /tmp partition	/etc/fstab
1.1.4 Ensure nodev option set on /tmp partition	/etc/fstab
1.1.5 Ensure nosuid option set on /tmp partition	/etc/fstab
1.1.23 Disable Automounting
1.2.1 Ensure GPG keys are configured	Just checks the current configuration and provides results in the output. No modification.
1.4.3 Ensure authentication required for single user mode	/etc/sysconfig/init
1.5.1 Ensure core dumps are restricted	/etc/sysconfig/init
Pre-CIS	Post-CIS
1.5.4 Ensure prelink is not installed	Remove prelink package (if installed) using ‘yum’ command.
1.7.1 Ensure message of the day is	/etc/motd
1.7.2 Ensure local login warning banner is configured properly	/etc/issue
1.7.3 Ensure remote login warning banner is /etc/issue.net configured properly	/etc/issue.net
1.7.4 Ensure permissions on /etc/motd are configured	/etc/motd
1.7.6 Ensure permissions on /etc/issue.net are configured	/etc/issue

Section 2
2.2.2 Ensure X11 Server components are not Remove xorg-x11 packages using ‘yum’ installed	Remove xorg-x11 packages using ‘yum’ command.
Pre-CIS	Post-CIS
2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked	Disable rpmcbind service.
2.3.1 Ensure NIS Client is not installed	Remove ypbind package using ‘yum’ command.

Section 3
3.2.1 Ensure IP forwarding is disabled	/etc/sysctl.conf
3.2.2 Ensure packet redirect sending is disabled	/etc/sysctl.conf
Pre-CIS	Post-CIS
3.3.1 Ensure source routed packets are not accepted	/etc/sysctl.conf
3.3.2 Ensure ICMP redirects are not accepted	/etc/sysctl.conf
Pre-CIS	Post-CIS
3.3.3 Ensure secure ICMP redirects are not accepted	/etc/sysctl.conf
3.3.4 Ensure suspicious packets are logged	/etc/sysctl.conf
3.3.5 Ensure broadcast ICMP requests are ignored	/etc/sysctl.conf
3.3.6 Ensure bogus ICMP responses are ignored	/etc/sysctl.conf
3.3.7 Ensure Reverse Path Filtering is enabled	/etc/sysctl.conf
3.3.8 Ensure TCP SYN Cookies is enabled	/etc/sysctl.conf
3.3.9 Ensure IPv6 router advertisements are not accepted	/etc/sysctl.conf
3.4.1 Ensure DCCP is disabled	/etc/modprobe.d/CIS.conf
3.4.2 Ensure SCTP is disabled	/etc/modprobe.d/CIS.conf
Pre-CIS	Post-CIS

Section 4
4.1.1.2 Ensure auditd service is enabled and running	Enable auditd service.
4.1.2.1 Ensure audit log storage size is configured	/etc/audit/auditd.conf
4.1.2.2 Ensure audit logs are not automatically deleted	/etc/audit/auditd.conf
Pre-CIS	Post-CIS
4.1.2.3 Ensure system is disabled when audit /etc/audit/auditd.conf logs are full	/etc/audit/auditd.conf
Pre-CIS	Post-CIS
4.1.2.4 Ensure audit_backlog_limit is sufficient	/etc/default/grub
4.1.3 Ensure events that modify date and time information are collected	/etc/audit/audit.rules
4.1.4 Ensure events that modify user/group information are collected	/etc/audit/audit.rules
4.1.5 Ensure events that modify the system's /etc/audit/audit.rules network environment are collected	/etc/audit/audit.rules
4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected	/etc/audit/audit.rules
4.1.7 Ensure login and logout events are collected	/etc/audit/audit.rules
4.1.8 Ensure session initiation information is collected	/etc/audit/audit.rules
4.1.9 Ensure discretionary access control permission modification events are collected	/etc/audit/audit.rules
4.1.10 Ensure unsuccessful unauthorized file access attempts are collected	/etc/audit/audit.rules
4.1.11 Ensure use of privileged commands is collected	/etc/audit/audit.rules
4.1.12 Ensure successful file system mounts are collected	/etc/audit/audit.rules
4.1.13 Ensure file deletion events by users are collected	/etc/audit/audit.rules
4.1.14 Ensure changes to system command executions (sudo) are collected	/etc/audit/audit.rules
4.1.15 Ensure system administrator command executions (sudo) are collected	/etc/audit/audit.rules
4.1.16 Ensure kernel module loading and unloading is collected	/etc/audit/audit.rules
4.1.17 Ensure the audit configuration is immutable	/etc/audit/audit.rules
4.2.1.2 Ensure rsyslog Service is enabled and running	Enable rsyslog service.
4.2.1.4 Ensure logging is configured	/etc/rsyslog.conf
4.2.1.3 Ensure rsyslog default file permissions configured	/etc/rsyslog.conf
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host	/etc/rsyslog.conf
4.2.1.6 Ensure remote rsyslog messages are /etc/rsyslog.conf only accepted on designated log hosts	/etc/rsyslog.conf
4.2.3 Ensure permissions on all logfiles are configured	/var/log
4.2.4 Ensure logrotate is configured	/etc/logrotate.conf and /etc/logrotate.d/ NOTE: Not modified by script. The script points out that customer should make necessary changes as per internal policy.

Section 5
5.1.1 Ensure cron daemon is enabled and running	Enable crond service.
5.1.2 Ensure permissions on /etc/crontab are configured	/etc/crontab
5.1.3 Ensure permissions on /etc/cron.hourly are configured	/etc/cron.hourly
5.1.4 Ensure permissions on /etc/cron.daily are configured	/etc/cron.daily
Pre-CIS	Post-CIS
5.1.5 Ensure permissions on /etc/cron.weekly are configured	/etc/cron.weekly
5.1.6 Ensure permissions on /etc/cron.monthly are configured	/etc/cron.monthly
5.1.7 Ensure permissions on /etc/cron.d are configured	/etc/cron.d
Pre-CIS	Post-CIS
5.1.8 Ensure cron is restricted to authorized users	/etc/cron.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy.
5.1.9 Ensure at is restricted to authorized users	/etc/at.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy.
5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured	/etc/ssh/sshd_config
5.3.4 Ensure SSH access is limited	/etc/ssh/sshd_config NOTE: As per the script message, make necessary changes to allow-deny users.
5.3.5 Ensure SSH LogLevel is appropriate	/etc/ssh/sshd_config
5.3.6 Ensure SSH X11 forwarding is disabled	/etc/ssh/sshd_config
5.3.7 Ensure SSH MaxAuthTries is set to 4 or less	/etc/ssh/sshd_config
5.3.8 Ensure SSH IgnoreRhosts is enabled	/etc/ssh/sshd_config
5.3.9 Ensure SSH HostbasedAuthentication is disabled	/etc/ssh/sshd_config
5.3.11 Ensure SSH PermitEmptyPasswords is disabled	/etc/ssh/sshd_config
5.3.12 Ensure SSH PermitUserEnvironment is disabled	/etc/ssh/sshd_config
5.3.13 Ensure only strong Ciphers are used	/etc/ssh/sshd_config
5.3.14 Ensure only strong MAC algorithms are used	/etc/ssh/sshd_config
5.3.16 Ensure SSH Idle Timeout Interval is configured	/etc/ssh/sshd_config
Pre-CIS	Post-CIS
5.3.17 Ensure SSH LoginGraceTime is set to one minute or less	/etc/ssh/sshd_config
5.3.18 Ensure SSH warning banner is configured	/etc/issue.net NOTE: As per the script message, make necessary changes to file for appropriate login message.
5.4.1 Ensure password creation requirements are configured	/etc/pam.d/password-auth and /etc/pam.d/system-auth
5.4.2 Ensure lockout for failed password attempts is configured	/etc/pam.d/password-auth and /etc/pam.d/system-auth
5.4.4 Ensure password reuse is limited	/etc/pam.d/password-auth and /etc/pam.d/system-auth
Pre-CIS	Post-CIS
5.4.3 Ensure password hashing algorithm is SHA-512	/etc/pam.d/password-auth and /etc/pam.d/system-auth
5.5.1.1 Ensure password expiration is 365 days or less	/etc/login.defs
5.5.1.2 Ensure minimum days between password changes is configured	/etc/login.defs
5.5.1.3 Ensure password expiration warning days is 7 or more	/etc/login.defs
Pre-CIS	Post-CIS
5.5.1.4 Ensure inactive password lock is 30 days or less	Set the default password inactivity period to 30 days and inactivate the users with passwords older than 30 days.
5.5.2 Ensure system accounts are secured	Set the shell for any accounts returned by the audit to nologin and lock any non root accounts returned by the audit.
5.5.3 Ensure default group for the root account is GID 0	Run usermod command: usermod -g 0 root
5.5.5 Ensure default user umask is configured	/etc/bashrc and /etc/profile
5.6 Ensure root login is restricted to system console	Script message: Please edit the /etc/securetty file after this script and remove any consoles that are not allowed by company policy.
5.7 Ensure access to the su command is restricted	/etc/pam.d/su Script message: Please remember to put the appropriate users into /etc/group under the wheel entry to give them su access after this script completes.

Section 6
6.1.2 Ensure permissions on /etc/passwd are configured	/etc/passwd
6.1.3 Ensure permissions on /etc/passwd- are configured	/etc/passwd-
6.1.8 Ensure permissions on /etc/group are configured	/etc/group
6.1.9 Ensure permissions on /etc/group- are configured	/etc/group-
6.1.4 Ensure permissions on /etc/shadow are configured	/etc/shadow
6.1.5 Ensure permissions on /etc/shadow- are configured	/etc/shadow-
6.1.7 Ensure permissions on /etc/gshadow are configured	/etc/gshadow
6.1.8 Ensure permissions on /etc/gshadow- are configured	/etc/gshadow-
6.1.10 Ensure no world writable files exist	Writable files are listed in root.wfiles, boot.wfiles, usrlocal.wfiles files. Script message: There are world writable files on the * partition. Please check the * for a list of files found and take the appropriate permission changes.
6.1.11 Ensure no unowned files or directories exist	Unknown files are listed in root.unowned, boot.unowned, and usrlocal.unowned files. Script message: There are unowned files/directories on the * partition. Please check the * for a list of files found and take the appropriate permission changes.
6.1.12 Ensure no ungrouped files or directories exist	Ungrouped files are listed in root.nogroup, boot.nogroup, and usrlocal.nogroup files. Script message: There are ungrouped files/directories on the * partition. Please check the * for a list of files/directories found and take the appropriate permission changes.
6.1.13 Audit SUID executables	SUID files are listed in root.suid, boot.suid, and usrlocal.suid files. Script message: There are SUID programs on the * partition. Please check the * for a list of programs found and take the appropriate action (if any).
6.1.14 Audit SGID executables	SGID files are listed in root.sgid, boot.sgid, and usrlocal.sgid files. Script message: There are SGID programs on the * partition. Please check the * for a list of programs found and take the appropriate action (if any).
6.2.2 Ensure /etc/shadow password fields are not empty	Lock user which does not have a password using passwd command.
6.2.9 Ensure root is the only UID 0 account	Verify root has UID 0.
6.2.11 Ensure all users' home directories exist	Find and list if any of the user on the system whose home directory does not exist.
6.2.12 Ensure users own their home directories	Update home directories are owned by user.
6.2.13 Ensure users' home directories permissions are 750 or more restrictive	chmod 700 /usr/local/strongauth Script message: The directory /usr/local/strongauth/batchrequests/domain1 must have group write permissions for the batch function to work correctly.