• Browse source
• Modules
• Infrastructures
• 
  
• Learn and use
• Philosophy
• How To
• Status
• Design
• Customize
• 
  
• Get more
• Feedback
• External Links
• EAL Hardening

EAL4+ Generic Hardening with Example42 Puppet Modules

"The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999." (From Wikipedia).
Redhat 5 has been certified to have the requirements necessary for EAL level 4 plus some further security specifications (EAL4+).
EAL4+ can be implemented in two ways:
- CAPP mode (Controlled Access Protection Profile). Consider this based on discretionary access control logic.
- LSPP/RBAC mode (Labeled Security Protection Profile (which is based on and includes all features of CAPP), and the Role-Based Access Control Protection Profile). In addition to discretionary access control, this mode requires multilevel security (MLS) and role-based access control.

EAL4+ compliance requires much more than what is configured with the puppet modules provided here: it's a process that starts from the hardware choice, the physical location and accessibility of the servers, their installation, the configuration of the base system (what is covered here) and the used services and the same day by day operations on the system.

Nevertheless the puppet-solution provided here can be a good starting point for the generic hardening of a Redhat/Centos 5 server. Consider this a work-in-progress that will be eventually applied also to other Linux distributions.

You can choose to use only the relevant modules to setup an hardened system or just use this as a reference for the configurations you need for an hardened system.
Note the proposed hardening classes may heavily impact your administrative activities and productivity so evaluate and test them carefully.
More precisely the hardening::eal4 class proposed below:
- disables various services (via Puppet's Service type, so you need to modify hardening::services if you need to start some of the services listed there;
- Adds at least an administrative user (the only one that can su - ) - Remember to set/change its password!
- Enforces password duration's limits
- Disables direct root access via SSH and various SSH authentication methods
- Enforces root access only to administrative users (members of group wheel) and enforces local auditing
- Removes various packages (via script so you can add via the Puppet's Package type where necessary);
- Sets a password on the Linux loader
- Ensures the presence of the audit service
- Sets up Selinux in enforcing mode (not required for EAL4+ CAPP)

In your node (or in a general class included by the nodes you want to harden), you just need to

include hardening::eal4

This actually is a cross-module class that includes classes defined in other modules, so you need to import also them in your Puppet set of modules:

 

What has been included before is all you need to setup an hardened node, of course you may tweak and adapt some classes according to your needs.

Example42.com is made by Lab42 | Released under GPL 3 License | Wednesday, 08 September 2010