Compliance Check

Before a Swisscom RHEL VM can leave the Temp Admin state, compliance checks will be performed in the background. Only if all relevant checks are successfully passed, the VM will be transferred to the requested state. If one or more tests are not successful, then this must be corrected by you. Afterwards, the state change can be requested again.

The compliance check will be executed when the following state changes are requested:

  • Temp Admin to Customer Maintenance
  • Temp Admin to Full Managed

Run Compliance Checks manually

If the VM is in the Temp Admin state, the compliance check can also be performed manually.
The command below can be used to check whether the VM can successfully leave the Temp Admin state.

sudo checkmate -a

If you only want to execute a dedicated check, you can use the following command. For example, execute the compliance check for check_ssh only:

sudo checkmate -cf -I check_ssh

The output of the command is written to standard output and to /var/log/messages.

Compliance Check Exceptions

A successful compliance check is a prerequisite for using Managed RHEL. If one of the tests fails, the Full Managed service cannot be offered. You are informed and can resolve (recommended solution) the issue or apply to Swisscom for an exception. This can either be approved or rejected. The approval needs to be requested via ESC Service Requestopen in new window.

Compliance Checks for Managed RHEL

This section describes the checks to be executed before offering the Full Managed state on a given Swisscom RHEL VM. To see whether the VM is healthy i.e. able to be changed back to Full Managed state, run the following command from the command line at anytime:

check_autofs

It's not allowed to have the autofs rpm installed. Therefore, it must be removed.

Troubleshooting:

Remove the autofs rpm by executing:

sudo yum -y remove autofs.x86_64

check_cron

There are no crontab entries allowed, which run as user root. There are only dedicated root cronjobs where the sha1sum checksums are trusted from check_cron, for that reason, it's not allowed to edit existing cron files.

Troubleshooting:

If the cronjob is absolutely needed, create a service request for requesting an exception where you explain why the cronjob is needed. Also provide the exact error message, the hostname, and the IP address.

check_fs_content

Ensure you create no additional content on the Operating System mountpoints.

No application directories, application log files or any other application data is allowed on Operating System mounted file systems (/, /boot, /usr/local, /usr/local, /opt, /opt/ds_agent, /home, /var, /var/log, /var/log/audit, /tmp). Create all your application-specific content on additionally added disks which belongs to the volume group datavg.

Troubleshooting:

Add a disk for every new mountpoint you need and create it with the Manage Disks Day-2 action in the portal. Remove any content which does not belong there from the Operating System file systems.

check_fslayout

The Operating System requires the following file system layout:

Logical volumeMountpoint
/dev/mapper/vrhvg-slashlv/
/dev/mapper/vrhvg-optlv/opt
/dev/mapper/vrhvg-homelv/home
/dev/mapper/vrhvg-usrloclv/usr/local
/dev/sda1/boot
/dev/mapper/vrhvg-tmplv/tmp
/dev/mapper/vrhvg-varlv/var
/dev/mapper/vrhvg-varloglv/var/log
/dev/mapper/vrhvg-logaudlv/var/log/audit
/dev/mapper/vrhvg-swaplv01swap
  • All Operating System file systems must be in the volume group vrhvg.

  • All customer file systems must be in the volume group datavg or datavg[0-9][0-9].

  • The size of the Operating System file systems must not be changed.

Troubleshooting:

You can check the file system layout by executing:

df -hP

check_fstab

Checks if all entries from /etc/fstab are mounted. All entries from /etc/fstab must be mounted before switching back to Full Managed state.

Troubleshooting:

To test your /etc/fstab configuration, you can mount everything in it by executing:

sudo mount -a

check_fstypes

Ensure all partitions have an allowed file system type.

Allowed file system types:

autofs, binfmt_misc, cgroup, cifs, configfs, debugfs, devpts, devtmpfs, ext4, hugetlbfs, mqueue, nfs, nfs4, proc, pstore, rootfs, securityfs, selinuxfs, smbfs, swap, sysfs, tmpfs, usbfs, xfs

Troubleshooting:

You can check the file system type of mounted file system by executing:

df -hT [FILESYTEM]

check_hostname

Checks if the hostname has not been changed. If you have tried to change the hostname, you must revert all changes.

Troubleshooting:

You can make sure all relevant places have the correct hostname set by executing:

sudo grep sccloudres /etc/sysconfig/rhn/systemid
sudo cat /etc/hostname
sudo grep sccloudres /etc/sysconfig/network
sudo grep sccloudres /etc/hosts
hostnamectl status | grep sccloudres

check_hosts_file

The /etc/hosts file must contain a localhost entry, and all IPv4 and IPv6 addresses must be valid.

Troubleshooting:

Get an overview about your actual /etc/hosts file by executing:

ls -la /etc/hosts && cat /etc/hosts

check_imars

When Client Identifying Data (CID) is enabled for this VM, then the check tests if the Splunk Universal Forwarder agent is installed, configured and running.

Troubleshooting:

Check if the splunk daemon is running:

systemctl status splunkd
ps -ef | grep splunk

check_local_users

Ensure that there are no local users with root permissions except for the user root.

Ensure the GID for users and groups are not higher than 99999, as the higher GIDs are reserved for groups which are managed in the Active Directory resource domain.

Ensure no local group dl_esc-mos-lnx-access* exists, as these groups are managed in the Active Directory resource domain.

Troubleshooting:

You can change the UID of a user by executing:

sudo usermod -u [NEWUID] [USER]

You can change the GID of a group by executing:

sudo groupmod -g [NEWGID] [GROUP]

check_lvm

Checks if the pvs command finds no unknown/missing devices.

Troubleshooting:

You can start debugging this issue by executing:

sudo pvs

check_malware

There must not be any malware protection installed, besides the malware protection installed by Swisscom.

Troubleshooting:

Uninstall any malware protection which you have installed by your own.

check_malware_inst

Ensure the malware protection installed by Swisscom is configured, and running.

Troubleshooting:

You get information about the relevant services by executing:

systemctl status ds_agent

check_monitoring_inst

Ensure the Swisscom monitoring agent is installed and running. Ansible is installing the monitoring agent, if the check fails because the monitoring agent is not installed, check why Ansible is not running.

Troubleshooting:

You get information about the relevant services by executing:

systemctl status node_exporter
ps aux | grep node_exporter

check_pam_config

Ensure the pam rpm is installed. PAM (Pluggable Authentication Modules) configuration must not have been changed or must match an accepted configuration.

Troubleshooting:

Install the pam rpm, in case it is missing, by executing:

sudo yum -y install pam.x86_64

Also, make sure to not alter or add any files to /etc/pam.d.

check_reboot

Ensure the Operating System does not require a reboot. Otherwise, you must reboot the Operating System.

Troubleshooting:

Install the yum-utils rpm, in case it is missing, by executing:

sudo yum -y install yum-utils.noarch

Reboot your server in case it is necessary by executing:

sudo shutdown -r now

check_repos

Ensure there aren't any unreachable YUM repositories configured.

Troubleshooting:

Troubleshoot your issues according to the error message provided. You can list your configured YUM repositories by executing:

sudo yum repolist

check_rhel_version

The Operating System version must be one of the following:

  • RHEL 7.4 or higher minor release
  • RHEL 8.0 or higher minor release
  • RHEL 9.0 or higher minor release

Troubleshooting:

You can check your Operating System and kernel version by executing:

cat /etc/redhat-release
uname -a

check_root_processes

Ensure only dedicated system processes are running as user root. Applications must not run as user root.

Troubleshooting:

You get a list of all processes with the running user by executing:

sudo ps auxf

check_rpm

The system packages must be from Red Hat and must not be modified.

Troubleshooting:

In case of an error, check what has changed on the package

rpm -V [PACKAGE]

Try to resolve the problem with a reinstallation of the package by executing:

sudo yum reinstall [PACKAGE]

check_satellite

Ensure the host is registered to the Red Hat Satellite server from Swisscom.

Troubleshooting:

In case of an error, check if a proper Red Hat Satellite server is configured by executing:

grep cms2capsule /etc/rhsm/rhsm.conf

check_selinux

Ensure SElinux is enabled (permissive or enforcing mode).

Troubleshooting:

Check if getenforce is returning Enforcing or Permissive.

sudo getenforce

Is selinuxenabled returning the return code 0?

selinuxenabled && echo $?

Is the file /etc/selinux/config containing SELINUX=enforcing or SELINUX=permissive?

sudo grep '^SELINUX\=' /etc/selinux/config

check_snmp

If a SNMP daemon/service is configured and running on the system, only read-access and SNMPv3 is allowed. Write access is disallowed.

Troubleshooting:

In case of an error, check for disallowed directives in /etc/snmp/snmpd.conf by executing:

grep rw /etc/snmp/snmpd.conf 2>/dev/null
grep write /etc/snmp/snmpd.conf 2>/dev/null

check_space

Ensure minimum free space is available on the Operating System file systems:

/ > 1 GB

/boot > 100 MB

/var/log > 200 MB

/tmp > 500 MB

/var/log/audit > 100 MB

/opt > 50 MB

swap > 1 GB

Troubleshooting:

You can compare the free space with the figures here by executing:

df -hP

check_ssh

  • Ensure sshd is running and the configuration file exists.
  • Ensure sshd is running with the default configuration file.
  • Ensure sshd has a minimal configuration. Only allowed ciphers are enabled/configured.
  • Allowed MACs: hmac-sha2-512,hmac-sha2-256
  • Allowed Ciphers: aes256-ctr,aes128-ctr
  • Allowed kexalgorithms: diffie-hellman-group-exchange-sha256

Troubleshooting:

In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:

sudo checkmate -cf -I check_ssh

check_ssh_keys

Ensure the user root doesn't have any unknown ssh keys installed in /root/.ssh/authorized_keys. Otherwise, you must remove the unknown ssh keys.

Troubleshooting:

In case of an error, make sure to remove all keys from the authorized keys file belonging to the user root. You can check the authorized keys file by executing:

sudo cat /root/.ssh/authorized_keys 2>/dev/null

check_sudo_processes

There must not be any sudo process running.

Troubleshooting:

Stop the mentioned process. Otherwise, it will not be possible to leave the Temp Admin state.

check_sudoers

There must not be any sudoers configuration (aliases etc.) that allow a user to acquire root privileges. Only trusted sudoers configuration are allowed. The exception needs to be requested with a service request.

Troubleshooting:

Try to avoid sudo configuration, better use the Temp Admin state for administration tasks. If the sudo command is absolutely needed, create a service request and explain why the sudo file is needed. Also provide the sudo file, the hostname and the IP address.

check_suid

There must not be any unknown setuid binaries. Any file systems which are mounted with the nosuid option, are excluded from this check. To prevent a long-running search for files with the suid bit set, mount the application or nfs file system with the nosuid option.

Troubleshooting:

In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:

sudo checkmate -cf -I check_suid

check_update_age

Determine last patch date. If the installed kernel is older than 90 days, you must update and reboot the Operating System manually, with these commands:

sudo yum update -y
sudo yum check-update
sudo reboot

Troubleshooting:

In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:

sudo checkmate -cf -I check_update_age

check_vmware_tools

The VMware tools must be installed.

Troubleshooting:

In case of an error, try to reinstall the package by executing:

sudo yum install open-vm-tools

check_yum_conf

Ensure there are no important rpm excluded from patching.

It is not allowed to exclude the following rpm from updating:

'*', 'BESAgent', 'coreutils', 'dracut', 'ds_agent', 'epops-agent', 'facter', 'firewalld', 'gpg-pupkey', 'grub2', 'gugent', 'hiera', 'iptables', 'iputils', 'kernel', 'openssl-libs', 'open-vm-tools', 'pam', 'passwd', 'puppet', 'SCCMS-checkmate', 'splunkforwarder', 'sudo', 'VMware-Log-Insight-Agent', 'vmware-vra-software-agent-service'

Troubleshooting:

In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:

sudo checkmate -cf -I check_yum_conf

t-tec-aut-b-1

Ensure information about last logon is displayed on login.

t-tec-aut-b-3

Ensure login banner is configured.

t-tec-aut-b-4

Ensure the shell timeouts after 30 minutes.

t-tec-bgk-b-7

Ensure a secure PATH variable for the user root. No dots in the PATH variable for user root are allowed.

t-tec-bgk-b-10

Ensure time synchronisation is enabled and running.

t-tec-bgk-b-14

Ensure security limits are present.

t-tec-bgk-b-17

Ensure user data is protected (user home, ssh and mail directories are not world accessible).

t-tec-bnk-b-2

Ensure the network stack is hardened as specified in the configuration file.

t-tec-del-b-1

Ensure the command line utility dd is available.

t-tec-enc-b-1

Ensure OpenSSH is installed and running and passwords are hashed in /etc/shadow using a secure algorithm.

t-tec-fil-b-1

Ensure iptables service is installed and enabled for RHEL 7 and RHEL 8. Ensure nftables service is installed and enabled for RHEL 9.

t-tec-log-b-2

Ensure the following events are logged: Logins and login attempts, system messages, permission changes (user mods, visudos), administrative actions, SSH messages.

t-tec-pfs-b-4

Ensure the system requires a password on emergency boot and for the single user mode.

t-tec-sof-b-2

Ensure software is integrity-checked.

t-tec-sof-b-3

Ensure the system is set to use the English language.

t-tec-uam-b-1

Ensure accounts are locked after five unsuccessful login attempts.

Last Updated: