Implementing the ACSC "Essential Eight" baseline for security automation in Red Hat Enterprise Linux

Achieving compliance with a security policy and maintaining compliance can be tedious. At Red Hat, we believe that such things should be automated and not become an unnecessary burden. To this end, we offer a whole ecosystem of services that automate security compliance.

We ship several widely used security policies with our products. Today, we will go over the “Essential Eight" baseline in a bit more detail.

The "Essential Eight" is a set of mitigation strategies created by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) that leads the Australian Government’s efforts to improve cybersecurity. 

The "Essential Eight" baseline is designed to make it much harder for adversaries to compromise systems, and Australian government organisations, businesses and individuals are recommended to adopt these essential strategies:

• Application control, to prevent the execution of unapproved and malicious programs.

• Patching applications, and use of the latest version of applications.

• Configuring Microsoft Office macro settings.

• User application hardening.

• Restricting administrative privileges to operating systems and applications.

• Patching operating systems, ensuring "extreme risk" vulnerabilities are patched within 48 hours.

• Multi-factor authentication, including for VPNs, RDP, SSH and other remote access.

• Daily backups.

The ACSC publishes a guide explaining the Essential Eight, and a separate guide outlining how the Essential Eight can be applied to Linux systems. Obviously, some of these strategies don't apply to Red Hat Enterprise Linux (RHEL), but they're worth studying up on as a good overall baseline for mitigation strategies. Let's look at some of the essential strategies that do apply to RHEL.

A critical control in the guide is "Application Control," which helps ensure that non-approved applications (including malicious code) are prevented from executing. The RHEL ACSC Essential Eight profile includes the File Access Policy Daemon (fapolicyd) to address this control. The fapolicyd software framework is supported with RHEL 8, and supports application control based on a user-defined policy.

In Linux environments, the ACSC recognises that configuring Microsoft Office macro settings is typically not applicable, and provides additional guidance on hardening Linux systems. This guidance includes applying additional forms of security policy enforcement, such as SELinux, and using the "noexec" parameter to mount partitions to which users have write access. 

We’ve codified this additional guidance and included it in the ACSC Essential Eight profile available with RHEL.

The ACSC Essential Eight profile is available in the scap-security-guide package in RHEL 7 since 7.8 (package version 0.1.46-11.el7) and RHEL 8 since 8.2 (version 0.1.48-7.el8).  The SCAP Security Guide documentation is installed with the scap-security-guide-doc package under /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html.