Compliance Check
Before a Managed RHEL VM can leave the Temp Admin state, compliance checks will be performed in the background. Only if all relevant checks are successfully passed, the VM will be transferred to the requested state. If one or more tests are not successful, then this must be corrected by you. Afterwards, the state change can be requested again.
The compliance check will be executed when the following state changes are requested:
- Temp Admin to Customer Maintenance
- Temp Admin to Full Managed
Run Compliance Checks manually
If the VM is in the Temp Admin state, the compliance check can also be performed manually.
The command below can be used to check whether the VM can successfully leave the Temp Admin state.
sudo checkmate -a
If you only want to execute a dedicated check, you can use the following command. For example, execute the compliance check for check_ssh only:
sudo checkmate -cf -I check_ssh
The output of the command is written to standard output and to /var/log/messages.
Compliance Check Exceptions
A successful compliance check is a prerequisite for using Managed RHEL. If one of the tests fails, the Full Managed service cannot be offered. You are informed and can resolve (recommended solution) the issue or apply to Swisscom for an exception. This can either be approved or rejected. The approval needs to be requested via ESC Service Request.
Compliance Checks for Managed RHEL
This section describes the checks to be executed before offering the Full Managed state on a given Managed RHEL VM. To see whether the VM is healthy i.e. able to be changed back to Full Managed state, run the following command from the command line at anytime:
check_autofs
It's not allowed to have the autofs rpm installed. Therefore, it must be removed.
Troubleshooting:
Remove the autofs rpm by executing:
sudo yum -y remove autofs.x86_64
check_cron
There are no crontab entries allowed, which run as user root. There are only dedicated root cronjobs where the sha1sum checksums are trusted from check_cron, for that reason, it's not allowed to edit existing cron files.
Troubleshooting:
If the cronjob is absolutely needed, create a service request for requesting an exception where you explain why the cronjob is needed. Also provide the exact error message, the hostname, and the IP address.
check_fs_content
Ensure you create no additional content on the Operating System mountpoints.
No application directories, application log files or any other application data is allowed on Operating System mounted file systems (/, /boot, /usr/local, /usr/local, /opt, /opt/ds_agent, /home, /var, /var/log, /var/log/audit, /tmp). Create all your application-specific content on additionally added disks which belongs to the volume group datavg.
Troubleshooting:
Add a disk for every new mountpoint you need and create it with the Manage Disks Day-2 action in the portal. Remove any content which does not belong there from the Operating System file systems.
check_fslayout
The Operating System requires the following file system layout:
| Logical volume | Mountpoint |
|---|---|
| /dev/mapper/vrhvg-slashlv | / |
| /dev/mapper/vrhvg-optlv | /opt |
| /dev/mapper/vrhvg-homelv | /home |
| /dev/mapper/vrhvg-usrloclv | /usr/local |
| /dev/sda1 | /boot |
| /dev/mapper/vrhvg-tmplv | /tmp |
| /dev/mapper/vrhvg-varlv | /var |
| /dev/mapper/vrhvg-varloglv | /var/log |
| /dev/mapper/vrhvg-logaudlv | /var/log/audit |
| /dev/mapper/vrhvg-swaplv01 | swap |
All Operating System file systems must be in the volume group
vrhvg.All customer file systems must be in the volume group
datavgordatavg[0-9][0-9].The size of the Operating System file systems must not be changed.
Troubleshooting:
You can check the file system layout by executing:
df -hP
check_fstab
Checks if all entries from /etc/fstab are mounted. All entries from /etc/fstab must be mounted before switching back to Full Managed state.
Troubleshooting:
To test your /etc/fstab configuration, you can mount everything in it by executing:
sudo mount -a
check_fstypes
Ensure all partitions have an allowed file system type.
Allowed file system types:
autofs, binfmt_misc, cgroup, cifs, configfs, debugfs, devpts, devtmpfs, ext4, hugetlbfs, mqueue, nfs, nfs4, proc, pstore, rootfs, securityfs, selinuxfs, smbfs, swap, sysfs, tmpfs, usbfs, xfs
Troubleshooting:
You can check the file system type of mounted file system by executing:
df -hT [FILESYTEM]
check_hostname
Checks if the hostname has not been changed. If you have tried to change the hostname, you must revert all changes.
Troubleshooting:
You can make sure all relevant places have the correct hostname set by executing:
sudo grep sccloudres /etc/sysconfig/rhn/systemid
sudo cat /etc/hostname
sudo grep sccloudres /etc/sysconfig/network
sudo grep sccloudres /etc/hosts
hostnamectl status | grep sccloudres
check_hosts_file
The /etc/hosts file must contain a localhost entry, and all IPv4 and IPv6 addresses must be valid.
Troubleshooting:
Get an overview about your actual /etc/hosts file by executing:
ls -la /etc/hosts && cat /etc/hosts
check_imars
When Client Identifying Data (CID) is enabled for this VM, then the check tests if the Splunk Universal Forwarder agent is installed, configured and running.
Troubleshooting:
Check if the splunk daemon is running:
systemctl status splunkd
ps -ef | grep splunk
check_local_users
Ensure that there are no local users with root permissions except for the user root.
Ensure the GID for users and groups are not higher than 99999, as the higher GIDs are reserved for groups which are managed in the Active Directory resource domain.
Ensure no local group dl_esc-mos-lnx-access* exists, as these groups are managed in the Active Directory resource domain.
Troubleshooting:
You can change the UID of a user by executing:
sudo usermod -u [NEWUID] [USER]
You can change the GID of a group by executing:
sudo groupmod -g [NEWGID] [GROUP]
check_lvm
Checks if the pvs command finds no unknown/missing devices.
Troubleshooting:
You can start debugging this issue by executing:
sudo pvs
check_malware
There must not be any malware protection installed, besides the malware protection installed by Swisscom.
Troubleshooting:
Uninstall any malware protection which you have installed by your own.
check_malware_inst
Ensure the malware protection installed by Swisscom is configured, and running.
Troubleshooting:
You get information about the relevant services by executing:
systemctl status ds_agent
check_monitoring_inst
Ensure the Swisscom monitoring agent is installed and running. Ansible is installing the monitoring agent, if the check fails because the monitoring agent is not installed, check why Ansible is not running.
Troubleshooting:
You get information about the relevant services by executing:
systemctl status node_exporter
ps aux | grep node_exporter
check_pam_config
Ensure the pam rpm is installed. PAM (Pluggable Authentication Modules) configuration must not have been changed or must match an accepted configuration.
Troubleshooting:
Install the pam rpm, in case it is missing, by executing:
sudo yum -y install pam.x86_64
Also, make sure to not alter or add any files to /etc/pam.d.
check_reboot
Ensure the Operating System does not require a reboot. Otherwise, you must reboot the Operating System.
Troubleshooting:
Install the yum-utils rpm, in case it is missing, by executing:
sudo yum -y install yum-utils.noarch
Reboot your server in case it is necessary by executing:
sudo shutdown -r now
check_repos
Ensure there aren't any unreachable YUM repositories configured.
Troubleshooting:
Troubleshoot your issues according to the error message provided. You can list your configured YUM repositories by executing:
sudo yum repolist
check_rhel_version
The Operating System version must be one of the following:
- RHEL 7.4 or higher minor release
- RHEL 8.0 or higher minor release
- RHEL 9.0 or higher minor release
Troubleshooting:
You can check your Operating System and kernel version by executing:
cat /etc/redhat-release
uname -a
check_root_processes
Ensure only dedicated system processes are running as user root. Applications must not run as user root.
Troubleshooting:
You get a list of all processes with the running user by executing:
sudo ps auxf
check_rpm
The system packages must be from Red Hat and must not be modified.
Troubleshooting:
In case of an error, check what has changed on the package
rpm -V [PACKAGE]
Try to resolve the problem with a reinstallation of the package by executing:
sudo yum reinstall [PACKAGE]
check_satellite
Ensure the host is registered to the Red Hat Satellite server from Swisscom.
Troubleshooting:
In case of an error, check if a proper Red Hat Satellite server is configured by executing:
grep cms2capsule /etc/rhsm/rhsm.conf
check_selinux
Ensure SElinux is enabled (permissive or enforcing mode).
Troubleshooting:
Check if getenforce is returning Enforcing or Permissive.
sudo getenforce
Is selinuxenabled returning the return code 0?
selinuxenabled && echo $?
Is the file /etc/selinux/config containing SELINUX=enforcing or SELINUX=permissive?
sudo grep '^SELINUX\=' /etc/selinux/config
check_snmp
If a SNMP daemon/service is configured and running on the system, only read-access and SNMPv3 is allowed. Write access is disallowed.
Troubleshooting:
In case of an error, check for disallowed directives in /etc/snmp/snmpd.conf by executing:
grep rw /etc/snmp/snmpd.conf 2>/dev/null
grep write /etc/snmp/snmpd.conf 2>/dev/null
check_space
Ensure minimum free space is available on the Operating System file systems:
/ > 1 GB
/boot > 100 MB
/var/log > 200 MB
/tmp > 500 MB
/var/log/audit > 100 MB
/opt > 50 MB
swap > 1 GB
Ensure minimum free space is available on the volume group for the Operating System:
vrhvg > 5GB
Troubleshooting:
You can compare the free space with the figures here by executing:
df -hP
check_ssh
- Ensure
sshdis running and the configuration file exists. - Ensure
sshdis running with the default configuration file. - Ensure
sshdhas a minimal configuration. Only allowed ciphers are enabled/configured. - Allowed MACs:
hmac-sha2-512,hmac-sha2-256 - Allowed Ciphers:
aes256-ctr,aes128-ctr - Allowed kexalgorithms:
diffie-hellman-group-exchange-sha256
Troubleshooting:
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
sudo checkmate -cf -I check_ssh
check_ssh_keys
Ensure the user root doesn't have any unknown ssh keys installed in /root/.ssh/authorized_keys. Otherwise, you must remove the unknown ssh keys.
Troubleshooting:
In case of an error, make sure to remove all keys from the authorized keys file belonging to the user root. You can check the authorized keys file by executing:
sudo cat /root/.ssh/authorized_keys 2>/dev/null
check_sudo_processes
There must not be any sudo process running.
Troubleshooting:
Stop the mentioned process. Otherwise, it will not be possible to leave the Temp Admin state.
check_sudoers
There must not be any sudoers configuration (aliases etc.) that allow a user to acquire root privileges. Only trusted sudoers configuration are allowed. The exception needs to be requested with a service request.
Troubleshooting:
Try to avoid sudo configuration, better use the Temp Admin state for administration tasks. If the sudo command is absolutely needed, create a service request and explain why the sudo file is needed. Also provide the sudo file, the hostname and the IP address.
check_suid
There must not be any unknown setuid binaries. Any file systems which are mounted with the nosuid option, are excluded from this check. To prevent a long-running search for files with the suid bit set, mount the application or nfs file system with the nosuid option.
Troubleshooting:
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
sudo checkmate -cf -I check_suid
check_update_age
Determine last patch date. If the installed kernel is older than 90 days, you must update and reboot the Operating System manually, with these commands:
sudo yum update -y
sudo yum check-update
sudo reboot
Troubleshooting:
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
sudo checkmate -cf -I check_update_age
check_vmware_tools
The VMware tools must be installed.
Troubleshooting:
In case of an error, try to reinstall the package by executing:
sudo yum install open-vm-tools
check_yum_conf
Ensure there are no important rpm excluded from patching.
It is not allowed to exclude the following rpm from updating:
'*', 'BESAgent', 'coreutils', 'dracut', 'ds_agent', 'epops-agent', 'facter', 'firewalld', 'gpg-pupkey', 'grub2', 'gugent', 'hiera', 'iptables', 'iputils', 'kernel', 'openssl-libs', 'open-vm-tools', 'pam', 'passwd', 'puppet', 'SCCMS-checkmate', 'splunkforwarder', 'sudo', 'VMware-Log-Insight-Agent', 'vmware-vra-software-agent-service'
Troubleshooting:
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
sudo checkmate -cf -I check_yum_conf
t-tec-aut-b-1
Ensure information about last logon is displayed on login.
t-tec-aut-b-3
Ensure login banner is configured.
t-tec-aut-b-4
Ensure the shell timeouts after 30 minutes.
t-tec-bgk-b-7
Ensure a secure PATH variable for the user root. No dots in the PATH variable for user root are allowed.
t-tec-bgk-b-10
Ensure time synchronisation is enabled and running.
t-tec-bgk-b-14
Ensure security limits are present.
t-tec-bgk-b-17
Ensure user data is protected (user home, ssh and mail directories are not world accessible).
t-tec-bnk-b-2
Ensure the network stack is hardened as specified in the configuration file.
t-tec-del-b-1
Ensure the command line utility dd is available.
t-tec-enc-b-1
Ensure OpenSSH is installed and running and passwords are hashed in /etc/shadow using a secure algorithm.
t-tec-fil-b-1
Ensure iptables service is installed and enabled for RHEL 7 and RHEL 8. Ensure nftables service is installed and enabled for RHEL 9.
t-tec-log-b-2
Ensure the following events are logged: Logins and login attempts, system messages, permission changes (user mods, visudos), administrative actions, SSH messages.
t-tec-pfs-b-4
Ensure the system requires a password on emergency boot and for the single user mode.
t-tec-sof-b-2
Ensure software is integrity-checked.
t-tec-sof-b-3
Ensure the system is set to use the English language.
t-tec-uam-b-1
Ensure accounts are locked after five unsuccessful login attempts.