Subscribe to the feed

Achieving compliance with a security policy and maintaining compliance can be tedious. At Red Hat, we believe that such things should be automated and not become an unnecessary burden. To this end, we offer a whole ecosystem of services that automate security compliance.

We ship several widely used security policies with our products. Today, we will go over the “Essential Eight" baseline in a bit more detail.

The "Essential Eight" is a set of mitigation strategies created by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) that leads the Australian Government’s efforts to improve cybersecurity. 

The "Essential Eight" baseline is designed to make it much harder for adversaries to compromise systems, and Australian government organisations, businesses and individuals are recommended to adopt these essential strategies:

  • Application control, to prevent the execution of unapproved and malicious programs.

  • Patching applications, and use of the latest version of applications.

  • Configuring Microsoft Office macro settings.

  • User application hardening.

  • Restricting administrative privileges to operating systems and applications.

  • Patching operating systems, ensuring "extreme risk" vulnerabilities are patched within 48 hours.

  • Multi-factor authentication, including for VPNs, RDP, SSH and other remote access.

  • Daily backups.

The ACSC publishes a guide explaining the Essential Eight, and a separate guide outlining how the Essential Eight can be applied to Linux systems. Obviously, some of these strategies don't apply to Red Hat Enterprise Linux (RHEL), but they're worth studying up on as a good overall baseline for mitigation strategies. Let's look at some of the essential strategies that do apply to RHEL.

A critical control in the guide is "Application Control," which helps ensure that non-approved applications (including malicious code) are prevented from executing. The RHEL ACSC Essential Eight profile includes the File Access Policy Daemon (fapolicyd) to address this control. The fapolicyd software framework is supported with RHEL 8, and supports application control based on a user-defined policy.

In Linux environments, the ACSC recognises that configuring Microsoft Office macro settings is typically not applicable, and provides additional guidance on hardening Linux systems. This guidance includes applying additional forms of security policy enforcement, such as SELinux, and using the "noexec" parameter to mount partitions to which users have write access. 

We’ve codified this additional guidance and included it in the ACSC Essential Eight profile available with RHEL.

The ACSC Essential Eight profile is available in the scap-security-guide package in RHEL 7 since 7.8 (package version 0.1.46-11.el7) and RHEL 8 since 8.2 (version 0.1.48-7.el8).  The SCAP Security Guide documentation is installed with the scap-security-guide-doc package under /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html.


About the author

Vojtěch Polášek is a software engineer working within the security compliance subsystem in Red Hat. He studied computer networks and, later, information technology security at Masaryk University in Brno, Czech Republic.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech