22:13:10 <cyberpear> #startmeeting Ansible Lockdown Working Group
22:13:10 <zodbot> Meeting started Wed May 27 22:13:10 2020 UTC.
22:13:10 <zodbot> This meeting is logged and archived in a public location.
22:13:10 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:13:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
22:13:10 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
22:13:18 <cyberpear> #topic Draft RHEL 8 STIG Review
22:13:38 <cyberpear> figured I'd live-tweet my initial review of the Draft STIG
22:14:20 <cyberpear> #topic Draft RHEL 8 STIG Review (CAT 1)
22:14:23 <cyberpear> "All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." unless "documented and approved reason for not having data-at-rest encryption"
22:14:41 <cyberpear> that's going to be an ouchie, but probably for all but laptops, folks will just write an exception
22:14:59 <cyberpear> ^ 010030
22:16:19 <cyberpear> 010450 "RHEL 8 must enable the SELinux targeted policy."
22:16:50 <cyberpear> 010820 "Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed."
22:17:09 <cyberpear> 010830 "Unattended or automatic logon to RHEL 8 via ssh must not be allowed."
22:17:46 <cyberpear> ^ implemented by "PermitUserEnvironment no" haven't checked how those 2 match
22:23:27 <cyberpear> 020330 "RHEL 8 must not have accounts configured with blank or null passwords."
22:23:44 <cyberpear> ^ combines SSH config and pam config into a single rule
22:25:19 <cyberpear> 040060 "RHEL 8 must enforce SSHv2 for network access to all accounts."
22:25:35 <cyberpear> ^ pretty sure "Protocol 2" is the only thing that works anymore
22:27:31 <cyberpear> 040340 "Remote X connections for interactive users must be encrypted in RHEL 8."
22:27:54 <cyberpear> ^ but LOL, implemented via sshd_config "X11Forwarding yes"
22:28:12 <cyberpear> that's all that's worth mentioning of the CAT 1 items
22:28:45 <cyberpear> #info DISA should split 020330 into 2 rules
22:36:54 <cyberpear> #info DISA should drop 040060, since "The OpenSSH SSH daemon supports SSH protocol 2 only." (man 8 sshd)
22:43:31 <cyberpear> #topic Draft RHEL 8 STIG Review (CAT 2)
22:45:43 <cyberpear> install updates, 3 rules for banner, rsyslog messages and secure, fips SSH (not using crypto policies)
22:46:15 <cyberpear> #info DISA might consider crypto-policies for 010080 but only if Red Hat fixes them to actually work
22:49:25 <cyberpear> 010090 properly SSSD PKI /etc/sssd/pki/sssd_auth_ca_db.pem
22:49:46 <cyberpear> 010100 "RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -- requires password-protecting SSH keys
23:01:06 <cyberpear> shadow passwords 3 ways, minimum of 5000 rounds for shadow, world-write must be root-owned, sticky bit required, ssh timeout, file attributes for /var/log and /var/log/messages, audit log file attributes, crypto_policy=FIPS, file attributes for files in $PATH and $lib, auto periodic aide scans with personnel notifications
23:01:57 <cyberpear> 010380 '"NOPASSWD" or "!authenticate"' are a single rule
23:02:20 <cyberpear> #info DISA should split 010380 '"NOPASSWD" or "!authenticate"' as with RHEL 7; NOPASSWD is required w/ MFA
23:03:19 <cyberpear> 010390 "If the "esc" and "openssl-pkcs11" packages are not installed, this is a finding."
23:03:52 <cyberpear> #info DISA should fix 010390, esc is not required (as w/ latest RHEL 7 STIG changes)
23:05:01 <cyberpear> 010400 'certificate_verification line contains either "no_ocsp", "no_verification"' -- need to handle offline case RH and/or DISA
23:05:33 <cyberpear> #info RH or DISA should handle offline PKI logins without no_ocsp option
23:06:20 <cyberpear> install opensc, NX (no execute) must be enabled in the kernel
23:07:09 <cyberpear> kaslr, lock down ssh host keys
23:08:32 <cyberpear> #info DISA should allow 0640 mode on SSH host keys like RHEL 7 010490
23:14:40 <cyberpear> ssh StrictModes, delayed Compression, no RHosts auth, no ssh root login, auditd running, nosuid nodev noexec for /home usb NFS, no world-write shell init files, kdump must be active
23:14:55 <cyberpear> 010670 "In the event of a system failure, RHEL 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes."
23:15:03 <cyberpear> ^ a reversal from previous requirements, IIRC
23:15:28 <cyberpear> #info investigate reversal of kdump requirement
23:22:42 <cyberpear> nsswitch hosts dns, users can't modify $PATH to point anywhere but their own homedir, world-write dirs group-owned by a system group, home dirs exist for users, homedir mode, homedir assigned, homedir attributes, CREATE_HOME login.defs, dotfile 0740 mode, all files owned by a user and group (watch out containers!), separate /home fs, UMASK in login.defs,
23:23:05 <cyberpear> #info will pick up next time at 020000
23:23:07 <cyberpear> #endmeeting