3259 lines
1.1 MiB
Diff
3259 lines
1.1 MiB
Diff
|
From 860ac44b87eb1f5c99cfa83c9b75ca2d1dab1bcd Mon Sep 17 00:00:00 2001
|
|||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
|||
|
Date: Wed, 4 Aug 2021 12:08:22 +0200
|
|||
|
Subject: [PATCH] Update RHEL8 STIG files to V1R3.
|
|||
|
|
|||
|
---
|
|||
|
products/rhel7/profiles/stig.profile | 6 +-
|
|||
|
products/rhel8/profiles/stig.profile | 6 +-
|
|||
|
products/rhel8/profiles/stig_gui.profile | 6 +-
|
|||
|
... => disa-stig-rhel7-v3r4-xccdf-manual.xml} | 295 ++-
|
|||
|
... => disa-stig-rhel8-v1r3-xccdf-manual.xml} | 1586 ++++++++++-------
|
|||
|
.../data/profile_stability/rhel8/stig.profile | 2 +-
|
|||
|
.../profile_stability/rhel8/stig_gui.profile | 2 +-
|
|||
|
7 files changed, 1068 insertions(+), 835 deletions(-)
|
|||
|
rename shared/references/{disa-stig-rhel7-v3r3-xccdf-manual.xml => disa-stig-rhel7-v3r4-xccdf-manual.xml} (88%)
|
|||
|
rename shared/references/{disa-stig-rhel8-v1r2-xccdf-manual.xml => disa-stig-rhel8-v1r3-xccdf-manual.xml} (78%)
|
|||
|
|
|||
|
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|||
|
index 78133180ecc..f5761c891f2 100644
|
|||
|
--- a/products/rhel7/profiles/stig.profile
|
|||
|
+++ b/products/rhel7/profiles/stig.profile
|
|||
|
@@ -1,9 +1,9 @@
|
|||
|
documentation_complete: true
|
|||
|
|
|||
|
metadata:
|
|||
|
- version: V3R3
|
|||
|
+ version: V3R4
|
|||
|
SMEs:
|
|||
|
- - carlosmmatos
|
|||
|
+ - ggbecker
|
|||
|
|
|||
|
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
|||
|
|
|||
|
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7'
|
|||
|
|
|||
|
description: |-
|
|||
|
This profile contains configuration checks that align to the
|
|||
|
- DISA STIG for Red Hat Enterprise Linux V3R3.
|
|||
|
+ DISA STIG for Red Hat Enterprise Linux V3R4.
|
|||
|
|
|||
|
In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
|
|||
|
configuration baseline as applicable to the operating system tier of
|
|||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|||
|
index ec0a3b17537..504e57f6c32 100644
|
|||
|
--- a/products/rhel8/profiles/stig.profile
|
|||
|
+++ b/products/rhel8/profiles/stig.profile
|
|||
|
@@ -1,9 +1,9 @@
|
|||
|
documentation_complete: true
|
|||
|
|
|||
|
metadata:
|
|||
|
- version: V1R2
|
|||
|
+ version: V1R3
|
|||
|
SMEs:
|
|||
|
- - carlosmmatos
|
|||
|
+ - ggbecker
|
|||
|
|
|||
|
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
|||
|
|
|||
|
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
|||
|
|
|||
|
description: |-
|
|||
|
This profile contains configuration checks that align to the
|
|||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R2.
|
|||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R3.
|
|||
|
|
|||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
|||
|
configuration baseline as applicable to the operating system tier of
|
|||
|
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
|||
|
index ff9a2833df8..0fdd755652e 100644
|
|||
|
--- a/products/rhel8/profiles/stig_gui.profile
|
|||
|
+++ b/products/rhel8/profiles/stig_gui.profile
|
|||
|
@@ -1,9 +1,9 @@
|
|||
|
documentation_complete: true
|
|||
|
|
|||
|
metadata:
|
|||
|
- version: V1R2
|
|||
|
+ version: V1R3
|
|||
|
SMEs:
|
|||
|
- - carlosmmatos
|
|||
|
+ - ggbecker
|
|||
|
|
|||
|
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
|||
|
|
|||
|
@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
|||
|
|
|||
|
description: |-
|
|||
|
This profile contains configuration checks that align to the
|
|||
|
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
|
|||
|
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
|
|||
|
|
|||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
|||
|
configuration baseline as applicable to the operating system tier of
|
|||
|
diff --git a/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml
|
|||
|
similarity index 88%
|
|||
|
rename from shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml
|
|||
|
rename to shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml
|
|||
|
index f0e75ac1da9..1130d365144 100644
|
|||
|
--- a/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml
|
|||
|
+++ b/shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml
|
|||
|
@@ -1,4 +1,4 @@
|
|||
|
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-03-01">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 3 Benchmark Date: 23 Apr 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>3</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="
|
|||
|
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-06-14">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 4 Benchmark Date: 23 Jul 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>3</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="
|
|||
|
|
|||
|
Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71849</ident><ident system="http://cyber.mil/legacy">SV-86473</ident><ident system="http://cyber.mil/cci">CCI-001494</ident><ident system="http://cyber.mil/cci">CCI-001496</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-36302r646840_fix">Run the following command to determine which package owns the file:
|
|||
|
|
|||
|
@@ -924,37 +924,22 @@ Check that the operating system requires authentication upon booting into single
|
|||
|
|
|||
|
ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
|
|||
|
|
|||
|
-If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-204438"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204438r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95717</ident><ident system="http://cyber.mil/legacy">V-81005</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4562r88507_fix">Configure the system to encrypt the boot password for root.
|
|||
|
+If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-204438"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204438r744095_rule" weight="10.0" severity="high"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95717</ident><ident system="http://cyber.mil/legacy">V-81005</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4562r744094_fix">Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.
|
|||
|
|
|||
|
-Generate an encrypted grub2 password for root with the following command:
|
|||
|
-
|
|||
|
-Note: The hash generated is an example.
|
|||
|
+Generate an encrypted grub2 password for the grub superusers account with the following command:
|
|||
|
|
|||
|
-# grub2-setpassword
|
|||
|
+$ sudo grub2-setpassword
|
|||
|
Enter password:
|
|||
|
-Confirm password:
|
|||
|
-
|
|||
|
-Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
-
|
|||
|
-set superusers="root"
|
|||
|
-export superusers</fixtext><fix id="F-4562r88507_fix" /><check system="C-4562r88506_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
+Confirm password:</fixtext><fix id="F-4562r744094_fix" /><check system="C-4562r744093_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
|
|||
|
For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
|
|||
|
|
|||
|
-Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
|
|||
|
+Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:
|
|||
|
|
|||
|
-# grep -iw grub2_password /boot/grub2/user.cfg
|
|||
|
+$ sudo grep -iw grub2_password /boot/grub2/user.cfg
|
|||
|
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
|
|||
|
|
|||
|
-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
|
|||
|
-
|
|||
|
-Verify that the "root" account is set as the "superusers":
|
|||
|
-
|
|||
|
-# grep -iw "superusers" /boot/grub2/grub.cfg
|
|||
|
- set superusers="root"
|
|||
|
- export superusers
|
|||
|
-
|
|||
|
-If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204439"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204439r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71963</ident><ident system="http://cyber.mil/legacy">SV-86587</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4563r88510_fix">Configure the system to encrypt the boot password for root.
|
|||
|
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.</check-content></check></Rule></Group><Group id="V-204439"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204439r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71963</ident><ident system="http://cyber.mil/legacy">SV-86587</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4563r88510_fix">Configure the system to encrypt the boot password for root.
|
|||
|
|
|||
|
Generate an encrypted grub2 password for root with the following command:
|
|||
|
|
|||
|
@@ -988,37 +973,22 @@ password_pbkdf2 [superusers-account] [password-hash]
|
|||
|
|
|||
|
If the root password entry does not begin with "password_pbkdf2", this is a finding.
|
|||
|
|
|||
|
-If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204440"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204440r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95719</ident><ident system="http://cyber.mil/legacy">V-81007</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4564r88513_fix">Configure the system to encrypt the boot password for root.
|
|||
|
+If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204440"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204440r744098_rule" weight="10.0" severity="high"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95719</ident><ident system="http://cyber.mil/legacy">V-81007</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4564r744097_fix">Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
|
|||
|
|
|||
|
-Generate an encrypted grub2 password for root with the following command:
|
|||
|
+Generate an encrypted grub2 password for the grub superusers account with the following command:
|
|||
|
|
|||
|
-Note: The hash generated is an example.
|
|||
|
-
|
|||
|
-# grub2-setpassword
|
|||
|
+$ sudo grub2-setpassword
|
|||
|
Enter password:
|
|||
|
-Confirm password:
|
|||
|
-
|
|||
|
-Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
-
|
|||
|
-set superusers="root"
|
|||
|
-export superusers</fixtext><fix id="F-4564r88513_fix" /><check system="C-4564r88512_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
+Confirm password:</fixtext><fix id="F-4564r744097_fix" /><check system="C-4564r744096_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
|
|||
|
For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
|
|||
|
|
|||
|
-Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
|
|||
|
+Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
|
|||
|
|
|||
|
-# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
|
|||
|
+$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
|
|||
|
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
|
|||
|
|
|||
|
-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
|
|||
|
-
|
|||
|
-Verify that the "root" account is set as the "superusers":
|
|||
|
-
|
|||
|
-# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
|
|||
|
- set superusers="root"
|
|||
|
- export superusers
|
|||
|
-
|
|||
|
-If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204441"><title>SRG-OS-000104-GPOS-00051</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204441r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description><VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
|
|||
|
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.</check-content></check></Rule></Group><Group id="V-204441"><title>SRG-OS-000104-GPOS-00051</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204441r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description><VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
|
|||
|
|
|||
|
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
|
|||
|
|
|||
|
@@ -1073,9 +1043,9 @@ Check to see if the "ypserve" package is installed with the following command:
|
|||
|
|
|||
|
# yum list installed ypserv
|
|||
|
|
|||
|
-If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204444"><title>SRG-OS-000324-GPOS-00125</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204444r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description><VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
|
|||
|
+If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204444"><title>SRG-OS-000324-GPOS-00125</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204444r754744_rule" weight="10.0" severity="medium"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description><VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
|
|||
|
|
|||
|
-Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86595</ident><ident system="http://cyber.mil/legacy">V-71971</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4568r462535_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
|
|||
|
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86595</ident><ident system="http://cyber.mil/legacy">V-71971</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-4568r462535_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
|
|||
|
|
|||
|
Use the following command to map a new user to the "sysadm_u" role:
|
|||
|
|
|||
|
@@ -1099,7 +1069,7 @@ Use the following command to map a new user to the "user_u" role:
|
|||
|
|
|||
|
Use the following command to map an existing user to the "user_u" role:
|
|||
|
|
|||
|
-# semanage login -m -s user_u <username></fixtext><fix id="F-4568r462535_fix" /><check system="C-4568r462534_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
|
|||
|
+# semanage login -m -s user_u <username></fixtext><fix id="F-4568r462535_fix" /><check system="C-4568r754743_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
|||
|
|
|||
|
Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
|
|||
|
|
|||
|
@@ -1215,7 +1185,7 @@ If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented
|
|||
|
|
|||
|
If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204449"><title>SRG-OS-000114-GPOS-00059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204449r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description><VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86607</ident><ident system="http://cyber.mil/legacy">V-71983</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4573r462538_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
|
|||
|
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86607</ident><ident system="http://cyber.mil/legacy">V-71983</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4573r462538_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
|
|||
|
|
|||
|
Create a file under "/etc/modprobe.d" with the following command:
|
|||
|
|
|||
|
@@ -1280,7 +1250,7 @@ blacklist dccp
|
|||
|
|
|||
|
If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204451"><title>SRG-OS-000114-GPOS-00059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204451r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020110</version><title>The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.</title><description><VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71985</ident><ident system="http://cyber.mil/legacy">SV-86609</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><fixtext fixref="F-4575r88546_fix">Configure the operating system to disable the ability to automount devices.
|
|||
|
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71985</ident><ident system="http://cyber.mil/legacy">SV-86609</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4575r88546_fix">Configure the operating system to disable the ability to automount devices.
|
|||
|
|
|||
|
Turn off the automount service with the following commands:
|
|||
|
|
|||
|
@@ -1307,15 +1277,15 @@ Check if yum is configured to remove unneeded packages with the following comman
|
|||
|
# grep -i clean_requirements_on_remove /etc/yum.conf
|
|||
|
clean_requirements_on_remove=1
|
|||
|
|
|||
|
-If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204453"><title>SRG-OS-000445-GPOS-00199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204453r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description><VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
|
|||
|
+If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204453"><title>SRG-OS-000445-GPOS-00199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204453r754746_rule" weight="10.0" severity="medium"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description><VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
|
|||
|
|
|||
|
-This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71989</ident><ident system="http://cyber.mil/legacy">SV-86613</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-36306r602628_fix">Configure the operating system to verify correct operation of all security functions.
|
|||
|
+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71989</ident><ident system="http://cyber.mil/legacy">SV-86613</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-36306r602628_fix">Configure the operating system to verify correct operation of all security functions.
|
|||
|
|
|||
|
Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:
|
|||
|
|
|||
|
SELINUX=enforcing
|
|||
|
|
|||
|
-A reboot is required for the changes to take effect.</fixtext><fix id="F-36306r602628_fix" /><check system="C-36343r602627_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
|
|||
|
+A reboot is required for the changes to take effect.</fixtext><fix id="F-36306r602628_fix" /><check system="C-36343r754745_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
|||
|
|
|||
|
Verify the operating system verifies correct operation of all security functions.
|
|||
|
|
|||
|
@@ -1324,7 +1294,7 @@ Check if "SELinux" is active and in "Enforcing" mode with the following command:
|
|||
|
# getenforce
|
|||
|
Enforcing
|
|||
|
|
|||
|
-If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-204454"><title>SRG-OS-000445-GPOS-00199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204454r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description><VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
|
|||
|
+If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-204454"><title>SRG-OS-000445-GPOS-00199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204454r754748_rule" weight="10.0" severity="medium"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description><VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
|
|||
|
|
|||
|
This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71991</ident><ident system="http://cyber.mil/legacy">SV-86615</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-36307r602631_fix">Configure the operating system to verify correct operation of all security functions.
|
|||
|
|
|||
|
@@ -1332,7 +1302,7 @@ Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/co
|
|||
|
|
|||
|
SELINUXTYPE=targeted
|
|||
|
|
|||
|
-A reboot is required for the changes to take effect.</fixtext><fix id="F-36307r602631_fix" /><check system="C-36344r602630_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
|
|||
|
+A reboot is required for the changes to take effect.</fixtext><fix id="F-36307r602631_fix" /><check system="C-36344r754747_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
|||
|
|
|||
|
Verify the operating system verifies correct operation of all security functions.
|
|||
|
|
|||
|
@@ -1410,23 +1380,21 @@ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs"
|
|||
|
# grep -i umask /etc/login.defs
|
|||
|
UMASK 077
|
|||
|
|
|||
|
-If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204458"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204458r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description><VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
|
|||
|
+If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204458"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204458r744100_rule" weight="10.0" severity="high"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description><VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
|
|||
|
|
|||
|
-Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86621</ident><ident system="http://cyber.mil/legacy">V-71997</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4582r462547_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-4582r462547_fix" /><check system="C-4582r462546_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
|||
|
+Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86621</ident><ident system="http://cyber.mil/legacy">V-71997</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4582r462547_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-4582r462547_fix" /><check system="C-4582r744099_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
|||
|
|
|||
|
Check the version of the operating system with the following command:
|
|||
|
|
|||
|
# cat /etc/redhat-release
|
|||
|
|
|||
|
-Red Hat Enterprise Linux Server release 7.4 (Maipo)
|
|||
|
+Red Hat Enterprise Linux Server release 7.9 (Maipo)
|
|||
|
|
|||
|
-Current End of Extended Update Support for RHEL 7.6 is 31 October 2020.
|
|||
|
+Current End of Extended Update Support for RHEL 7.6 is 31 May 2021.
|
|||
|
|
|||
|
-Current End of Extended Update Support for RHEL 7.7 is 31 August 2021.
|
|||
|
+Current End of Extended Update Support for RHEL 7.7 is 30 August 2021.
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 7.8 is 31 October 2020.
|
|||
|
-
|
|||
|
-Current End of Maintenance Support for RHEL 7.9 is 30 April 2021.
|
|||
|
+Current End of Maintenance Support for RHEL 7.9 is 30 June 2024.
|
|||
|
|
|||
|
If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-204459"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204459r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description><VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86623</ident><ident system="http://cyber.mil/legacy">V-71999</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4583r88570_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-4583r88570_fix" /><check system="C-4583r88569_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
|
|||
|
|
|||
|
@@ -1560,11 +1528,11 @@ Check the home directory assignment for all local interactive users on the syste
|
|||
|
|
|||
|
-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
|
|||
|
|
|||
|
-If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-204470"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204470r603832_rule" weight="10.0" severity="medium"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description><VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86645</ident><ident system="http://cyber.mil/legacy">V-72021</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4594r88603_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
|
|||
|
+If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-204470"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204470r744102_rule" weight="10.0" severity="medium"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description><VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86645</ident><ident system="http://cyber.mil/legacy">V-72021</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4594r88603_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
|
|||
|
|
|||
|
Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
|
|||
|
|
|||
|
-# chgrp users /home/smithj</fixtext><fix id="F-4594r88603_fix" /><check system="C-4594r622295_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
|
|||
|
+# chgrp users /home/smithj</fixtext><fix id="F-4594r88603_fix" /><check system="C-4594r744101_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
|
|||
|
|
|||
|
Check the home directory assignment for all local interactive users on the system with the following command:
|
|||
|
|
|||
|
@@ -1574,26 +1542,26 @@ Check the home directory assignment for all local interactive users on the syste
|
|||
|
|
|||
|
Check the user's primary group with the following command:
|
|||
|
|
|||
|
-# grep users /etc/group
|
|||
|
+# grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group
|
|||
|
|
|||
|
users:x:250:smithj,jonesj,jacksons
|
|||
|
|
|||
|
-If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204471"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204471r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.</title><description><VulnDiscussion>If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86647</ident><ident system="http://cyber.mil/legacy">V-72023</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4595r88606_fix">Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:
|
|||
|
+If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204471"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204471r744105_rule" weight="10.0" severity="medium"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.</title><description><VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86647</ident><ident system="http://cyber.mil/legacy">V-72023</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4595r744104_fix">Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 7 with the "chown" command:
|
|||
|
|
|||
|
Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
|
|||
|
|
|||
|
-# chown smithj /home/smithj/<file or directory></fixtext><fix id="F-4595r88606_fix" /><check system="C-4595r88605_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories in a local interactive user's home directory are owned by the user.
|
|||
|
+$ sudo chown smithj /home/smithj/<file or directory></fixtext><fix id="F-4595r744104_fix" /><check system="C-4595r744103_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories in a local interactive user's home directory have a valid owner.
|
|||
|
|
|||
|
Check the owner of all files and directories in a local interactive user's home directory with the following command:
|
|||
|
|
|||
|
Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
|
|||
|
|
|||
|
-# ls -lLR /home/smithj
|
|||
|
+$ sudo ls -lLR /home/smithj
|
|||
|
-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1
|
|||
|
-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2
|
|||
|
-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3
|
|||
|
|
|||
|
-If any files are found with an owner different than the home directory user, this is a finding.</check-content></check></Rule></Group><Group id="V-204472"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204472r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description><VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72025</ident><ident system="http://cyber.mil/legacy">SV-86649</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4596r88609_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
|
|||
|
+If any files or directories are found without an owner, this is a finding.</check-content></check></Rule></Group><Group id="V-204472"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204472r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description><VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72025</ident><ident system="http://cyber.mil/legacy">SV-86649</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4596r88609_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
|
|||
|
|
|||
|
Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
|
|||
|
|
|||
|
@@ -1722,7 +1690,7 @@ Note: The example will be for a system that is configured to create users' home
|
|||
|
|
|||
|
# grep <file> /home/*/.*
|
|||
|
|
|||
|
-If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-204479"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204479r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description><VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86663</ident><ident system="http://cyber.mil/legacy">V-72039</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4603r88630_fix">Run the following command to determine which package owns the device file:
|
|||
|
+If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-204479"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204479r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description><VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86663</ident><ident system="http://cyber.mil/legacy">V-72039</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4603r88630_fix">Run the following command to determine which package owns the device file:
|
|||
|
|
|||
|
# rpm -qf <filename>
|
|||
|
|
|||
|
@@ -1814,13 +1782,13 @@ Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
|
|||
|
|
|||
|
tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
|
|||
|
|
|||
|
-If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.</check-content></check></Rule></Group><Group id="V-204487"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204487r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description><VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
|
|||
|
+If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.</check-content></check></Rule></Group><Group id="V-204487"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204487r744106_rule" weight="10.0" severity="medium"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description><VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
|
|||
|
|
|||
|
The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72047</ident><ident system="http://cyber.mil/legacy">SV-86671</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36308r602634_fix">All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.</fixtext><fix id="F-36308r602634_fix" /><check system="C-36345r602633_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]:
|
|||
|
|
|||
|
# find [PART] -xdev -type d -perm -0002 -gid +999 -print
|
|||
|
|
|||
|
-If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-204488"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204488r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72049</ident><ident system="http://cyber.mil/legacy">SV-86673</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4612r88657_fix">Remove the umask statement from all local interactive user's initialization files.
|
|||
|
+If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-204488"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204488r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72049</ident><ident system="http://cyber.mil/legacy">SV-86673</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4612r88657_fix">Remove the umask statement from all local interactive user's initialization files.
|
|||
|
|
|||
|
If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.</fixtext><fix id="F-4612r88657_fix" /><check system="C-4612r88656_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the default umask for all local interactive users is "077".
|
|||
|
|
|||
|
@@ -1832,16 +1800,19 @@ Note: The example is for a system that is configured to create users home direct
|
|||
|
|
|||
|
# grep -i umask /home/*/.*
|
|||
|
|
|||
|
-If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-204489"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204489r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72051</ident><ident system="http://cyber.mil/legacy">SV-86675</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4613r88660_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
|
|||
|
+If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-204489"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204489r744109_rule" weight="10.0" severity="medium"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72051</ident><ident system="http://cyber.mil/legacy">SV-86675</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4613r744108_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
|
|||
|
|
|||
|
-cron.* /var/log/cron.log</fixtext><fix id="F-4613r88660_fix" /><check system="C-4613r88659_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events.
|
|||
|
+cron.* /var/log/cron
|
|||
|
+
|
|||
|
+The rsyslog daemon must be restarted for the changes to take effect:
|
|||
|
+$ sudo systemctl restart rsyslog.service</fixtext><fix id="F-4613r744108_fix" /><check system="C-4613r744107_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events.
|
|||
|
|
|||
|
Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command:
|
|||
|
|
|||
|
Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
|
|||
|
|
|||
|
# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
|||
|
-cron.* /var/log/cron.log
|
|||
|
+cron.* /var/log/cron
|
|||
|
|
|||
|
If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
|
|||
|
|
|||
|
@@ -1940,7 +1911,7 @@ UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data
|
|||
|
|
|||
|
If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. </check-content></check></Rule></Group><Group id="V-204497"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204497r603261_rule" weight="10.0" severity="high"><version>RHEL-07-021350</version><title>The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</title><description><VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86691</ident><ident system="http://cyber.mil/legacy">V-72067</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><ident system="http://cyber.mil/cci">CCI-002476</ident><fixtext fixref="F-36310r602640_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
|
|||
|
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86691</ident><ident system="http://cyber.mil/legacy">V-72067</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><ident system="http://cyber.mil/cci">CCI-002476</ident><fixtext fixref="F-36310r602640_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
|
|||
|
|
|||
|
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
|
|||
|
|
|||
|
@@ -2097,7 +2068,7 @@ All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
|
|||
|
/bin All # apply the custom rule to the files in bin
|
|||
|
/sbin All # apply the same custom rule to the files in sbin
|
|||
|
|
|||
|
-If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-204501"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204501r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description><VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86699</ident><ident system="http://cyber.mil/legacy">V-72075</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4625r88696_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-4625r88696_fix" /><check system="C-4625r88695_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not configured to use a boot loader on removable media.
|
|||
|
+If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-204501"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204501r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description><VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86699</ident><ident system="http://cyber.mil/legacy">V-72075</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4625r88696_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-4625r88696_fix" /><check system="C-4625r88695_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not configured to use a boot loader on removable media.
|
|||
|
|
|||
|
Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
|
|||
|
|
|||
|
@@ -2314,37 +2285,21 @@ network_failure_action = syslog
|
|||
|
|
|||
|
If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system.
|
|||
|
|
|||
|
-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.</check-content></check></Rule></Group><Group id="V-204513"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204513r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description><VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72089</ident><ident system="http://cyber.mil/legacy">SV-86713</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4637r88732_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
|
|||
|
-
|
|||
|
-Check the system configuration to determine the partition the audit records are being written to:
|
|||
|
+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.</check-content></check></Rule></Group><Group id="V-204513"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204513r744112_rule" weight="10.0" severity="medium"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description><VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72089</ident><ident system="http://cyber.mil/legacy">SV-86713</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4637r744111_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
|
|||
|
|
|||
|
-# grep -iw log_file /etc/audit/auditd.conf
|
|||
|
-
|
|||
|
-Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
|
|||
|
-
|
|||
|
-# df -h /var/log/audit/
|
|||
|
-
|
|||
|
-Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.</fixtext><fix id="F-4637r88732_fix" /><check system="C-4637r88731_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
|
|||
|
+Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
|
|||
|
+space_left = 25%
|
|||
|
+Reload the auditd daemon to apply changes made to the "/etc/audit/auditd.conf" file.</fixtext><fix id="F-4637r744111_fix" /><check system="C-4637r744110_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
|
|||
|
|
|||
|
Check the system configuration to determine the partition the audit records are being written to with the following command:
|
|||
|
|
|||
|
-# grep -iw log_file /etc/audit/auditd.conf
|
|||
|
+$ sudo grep -iw log_file /etc/audit/auditd.conf
|
|||
|
log_file = /var/log/audit/audit.log
|
|||
|
|
|||
|
-Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
|
|||
|
-
|
|||
|
-# df -h /var/log/audit/
|
|||
|
-0.9G /var/log/audit
|
|||
|
-
|
|||
|
-If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:
|
|||
|
-
|
|||
|
-# du -sh <partition>
|
|||
|
-1.8G /var
|
|||
|
-
|
|||
|
Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
|
|||
|
|
|||
|
-# grep -iw space_left /etc/audit/auditd.conf
|
|||
|
-space_left = 225
|
|||
|
+$ sudo grep -iw space_left /etc/audit/auditd.conf
|
|||
|
+space_left = 25%
|
|||
|
|
|||
|
If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.</check-content></check></Rule></Group><Group id="V-204514"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204514r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030340</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.</title><description><VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72091</ident><ident system="http://cyber.mil/legacy">SV-86715</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4638r88735_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
|
|||
|
|
|||
|
@@ -2395,7 +2350,7 @@ Audit records can be generated from various components within the information sy
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86721</ident><ident system="http://cyber.mil/legacy">V-72097</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4641r462559_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86721</ident><ident system="http://cyber.mil/legacy">V-72097</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4641r462559_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod
|
|||
|
|
|||
|
@@ -2993,7 +2948,7 @@ If the command does not return any output, this is a finding.</check-content></c
|
|||
|
|
|||
|
Audit records can be generated from various components within the information system (e.g., module or policy filter).
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72145</ident><ident system="http://cyber.mil/legacy">SV-86769</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4664r88813_fix">Configure the operating system to generate audit records when unsuccessful account access events occur.
|
|||
|
+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72145</ident><ident system="http://cyber.mil/legacy">SV-86769</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4664r88813_fix">Configure the operating system to generate audit records when unsuccessful account access events occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3031,7 +2986,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86773</ident><ident system="http://cyber.mil/legacy">V-72149</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4666r462625_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
|
|||
|
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86773</ident><ident system="http://cyber.mil/legacy">V-72149</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4666r462625_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3071,7 +3026,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86777</ident><ident system="http://cyber.mil/legacy">V-72153</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4668r462631_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
|
|||
|
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86777</ident><ident system="http://cyber.mil/legacy">V-72153</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4668r462631_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3111,7 +3066,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86781</ident><ident system="http://cyber.mil/legacy">V-72157</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4670r462637_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
|
|||
|
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86781</ident><ident system="http://cyber.mil/legacy">V-72157</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4670r462637_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3131,7 +3086,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86783</ident><ident system="http://cyber.mil/legacy">V-72159</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4671r462640_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
|
|||
|
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86783</ident><ident system="http://cyber.mil/legacy">V-72159</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4671r462640_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3169,7 +3124,7 @@ If the command does not return any output, this is a finding.</check-content></c
|
|||
|
|
|||
|
At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72163</ident><ident system="http://cyber.mil/legacy">SV-86787</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4673r88840_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
|
|||
|
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72163</ident><ident system="http://cyber.mil/legacy">SV-86787</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4673r88840_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3215,7 +3170,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86791</ident><ident system="http://cyber.mil/legacy">V-72167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4675r462649_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
|
|||
|
+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86791</ident><ident system="http://cyber.mil/legacy">V-72167</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4675r462649_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3341,7 +3296,7 @@ At a minimum, the organization must audit the full-text recording of privileged
|
|||
|
|
|||
|
When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86807</ident><ident system="http://cyber.mil/legacy">V-72183</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4681r462667_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur.
|
|||
|
+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86807</ident><ident system="http://cyber.mil/legacy">V-72183</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4681r462667_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur.
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3483,7 +3438,7 @@ If the command does not return any output, this is a finding.</check-content></c
|
|||
|
|
|||
|
Audit records can be generated from various components within the information system (e.g., module or policy filter).
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72197</ident><ident system="http://cyber.mil/legacy">SV-86821</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4688r88885_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
|
|||
|
+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86821</ident><ident system="http://cyber.mil/legacy">V-72197</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4688r88885_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
|
|||
|
|
|||
|
Add or update the following rule "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3499,7 +3454,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
|
|||
|
|
|||
|
If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204565"><title>SRG-OS-000004-GPOS-00004</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204565r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030871</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73165</ident><ident system="http://cyber.mil/legacy">SV-87817</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4689r88888_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
|
|||
|
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87817</ident><ident system="http://cyber.mil/legacy">V-73165</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4689r88888_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3515,7 +3470,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
|
|||
|
|
|||
|
If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204566"><title>SRG-OS-000004-GPOS-00004</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204566r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030872</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73167</ident><ident system="http://cyber.mil/legacy">SV-87819</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4690r88891_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
|
|||
|
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87819</ident><ident system="http://cyber.mil/legacy">V-73167</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4690r88891_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
|
|||
|
|
|||
|
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3531,7 +3486,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
|
|||
|
|
|||
|
If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204567"><title>SRG-OS-000004-GPOS-00004</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204567r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030873</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73171</ident><ident system="http://cyber.mil/legacy">SV-87823</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4691r88894_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
|
|||
|
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87823</ident><ident system="http://cyber.mil/legacy">V-73171</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4691r88894_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
|
|||
|
|
|||
|
Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
@@ -3545,16 +3500,16 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
|
|||
|
|
|||
|
-w /etc/shadow -p wa -k identity
|
|||
|
|
|||
|
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204568"><title>SRG-OS-000004-GPOS-00004</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204568r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204568"><title>SRG-OS-000004-GPOS-00004</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204568r744115_rule" weight="10.0" severity="medium"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87825</ident><ident system="http://cyber.mil/legacy">V-73173</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4692r88897_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
|
|||
|
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87825</ident><ident system="http://cyber.mil/legacy">V-73173</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4692r744114_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
|
|||
|
|
|||
|
Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
|
|||
|
|
|||
|
-w /etc/security/opasswd -p wa -k identity
|
|||
|
|
|||
|
The audit daemon must be restarted for the changes to take effect:
|
|||
|
-# systemctl restart auditd</fixtext><fix id="F-4692r88897_fix" /><check system="C-4692r88896_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
|
|||
|
+# systemctl restart auditd</fixtext><fix id="F-4692r744114_fix" /><check system="C-4692r744113_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
|
|||
|
|
|||
|
Check the auditing rules in "/etc/audit/audit.rules" with the following command:
|
|||
|
|
|||
|
@@ -3686,7 +3641,7 @@ If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" file
|
|||
|
|
|||
|
If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.</check-content></check></Rule></Group><Group id="V-204575"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204575r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-031010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.</title><description><VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
|
|||
|
|
|||
|
-If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86835</ident><ident system="http://cyber.mil/legacy">V-72211</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4699r88918_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-4699r88918_fix" /><check system="C-4699r88917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
|
|||
|
+If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86835</ident><ident system="http://cyber.mil/legacy">V-72211</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4699r88918_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-4699r88918_fix" /><check system="C-4699r88917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
|
|||
|
|
|||
|
Check the configuration of "rsyslog" with the following command:
|
|||
|
|
|||
|
@@ -3736,15 +3691,15 @@ public (default, active)
|
|||
|
|
|||
|
Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.
|
|||
|
|
|||
|
-If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-204578"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204578r603843_rule" weight="10.0" severity="medium"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
+If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-204578"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204578r744116_rule" weight="10.0" severity="medium"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
|
|||
|
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|||
|
|
|||
|
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
|
|||
|
|
|||
|
-By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
|
|||
|
+The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72221</ident><ident system="http://cyber.mil/legacy">SV-86845</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000803</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-4702r622306_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
|
|||
|
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72221</ident><ident system="http://cyber.mil/legacy">SV-86845</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-4702r622306_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
|
|||
|
|
|||
|
Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
|
|||
|
|
|||
|
@@ -3797,7 +3752,7 @@ By using this IS (which includes any device attached to this IS), you consent to
|
|||
|
|
|||
|
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72225</ident><ident system="http://cyber.mil/legacy">SV-86849</ident><ident system="http://cyber.mil/cci">CCI-001384</ident><ident system="http://cyber.mil/cci">CCI-001385</ident><ident system="http://cyber.mil/cci">CCI-001386</ident><ident system="http://cyber.mil/cci">CCI-001387</ident><ident system="http://cyber.mil/cci">CCI-001388</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><ident system="http://cyber.mil/cci">CCI-000050</ident><fixtext fixref="F-4704r297486_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
|
|||
|
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72225</ident><ident system="http://cyber.mil/legacy">SV-86849</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><ident system="http://cyber.mil/cci">CCI-000050</ident><ident system="http://cyber.mil/cci">CCI-001384</ident><ident system="http://cyber.mil/cci">CCI-001385</ident><ident system="http://cyber.mil/cci">CCI-001386</ident><ident system="http://cyber.mil/cci">CCI-001387</ident><ident system="http://cyber.mil/cci">CCI-001388</ident><fixtext fixref="F-4704r297486_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
|
|||
|
|
|||
|
Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
|
|||
|
|
|||
|
@@ -3978,7 +3933,7 @@ This requirement applies to both internal and external networks and all types of
|
|||
|
|
|||
|
Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86857</ident><ident system="http://cyber.mil/legacy">V-72233</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><fixtext fixref="F-4709r88948_fix">Install SSH packages onto the host with the following commands:
|
|||
|
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86857</ident><ident system="http://cyber.mil/legacy">V-72233</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><fixtext fixref="F-4709r88948_fix">Install SSH packages onto the host with the following commands:
|
|||
|
|
|||
|
# yum install openssh-server.x86_64</fixtext><fix id="F-4709r88948_fix" /><check system="C-4709r88947_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if sshd is installed with the following command:
|
|||
|
|
|||
|
@@ -3993,7 +3948,7 @@ This requirement applies to both internal and external networks and all types of
|
|||
|
|
|||
|
Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86859</ident><ident system="http://cyber.mil/legacy">V-72235</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><fixtext fixref="F-4710r88951_fix">Configure the SSH service to automatically start after reboot with the following command:
|
|||
|
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86859</ident><ident system="http://cyber.mil/legacy">V-72235</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><fixtext fixref="F-4710r88951_fix">Configure the SSH service to automatically start after reboot with the following command:
|
|||
|
|
|||
|
# systemctl enable sshd.service</fixtext><fix id="F-4710r88951_fix" /><check system="C-4710r88950_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify SSH is loaded and active with the following command:
|
|||
|
|
|||
|
@@ -4115,7 +4070,7 @@ IgnoreUserKnownHosts yes
|
|||
|
|
|||
|
If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204594"><title>SRG-OS-000074-GPOS-00042</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204594r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040390</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.</title><description><VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86875</ident><ident system="http://cyber.mil/legacy">V-72251</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000197</ident><fixtext fixref="F-4718r88975_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
|
|||
|
+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86875</ident><ident system="http://cyber.mil/legacy">V-72251</ident><ident system="http://cyber.mil/cci">CCI-000197</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4718r88975_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
|
|||
|
|
|||
|
Protocol 2
|
|||
|
|
|||
|
@@ -4133,9 +4088,9 @@ Check that the SSH daemon is configured to only use the SSHv2 protocol with the
|
|||
|
Protocol 2
|
|||
|
#Protocol 1,2
|
|||
|
|
|||
|
-If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-204595"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204595r603846_rule" weight="10.0" severity="medium"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description><VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
|
|||
|
+If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-204595"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204595r744117_rule" weight="10.0" severity="medium"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description><VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
|
|||
|
|
|||
|
-By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86877</ident><ident system="http://cyber.mil/legacy">V-72253</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4719r622309_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
|
|||
|
+The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86877</ident><ident system="http://cyber.mil/legacy">V-72253</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4719r622309_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
|
|||
|
|
|||
|
MACs hmac-sha2-512,hmac-sha2-256
|
|||
|
|
|||
|
@@ -4177,7 +4132,7 @@ The following command will find all SSH private key files on the system and list
|
|||
|
-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key
|
|||
|
-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key
|
|||
|
|
|||
|
-If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-204598"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204598r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description><VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72259</ident><ident system="http://cyber.mil/legacy">SV-86883</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4722r88987_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
|
|||
|
+If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-204598"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204598r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description><VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72259</ident><ident system="http://cyber.mil/legacy">SV-86883</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4722r88987_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
|
|||
|
|
|||
|
GSSAPIAuthentication no
|
|||
|
|
|||
|
@@ -4190,7 +4145,7 @@ Check that the SSH daemon does not permit GSSAPI authentication with the followi
|
|||
|
# grep -i gssapiauth /etc/ssh/sshd_config
|
|||
|
GSSAPIAuthentication no
|
|||
|
|
|||
|
-If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204599"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204599r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description><VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72261</ident><ident system="http://cyber.mil/legacy">SV-86885</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4723r88990_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
|
|||
|
+If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204599"><title>SRG-OS-000364-GPOS-00151</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204599r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description><VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72261</ident><ident system="http://cyber.mil/legacy">SV-86885</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4723r88990_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
|
|||
|
|
|||
|
KerberosAuthentication no
|
|||
|
|
|||
|
@@ -4603,7 +4558,7 @@ Check to see if an FTP server has been installed with the following commands:
|
|||
|
|
|||
|
vsftpd-3.0.2.el7.x86_64.rpm
|
|||
|
|
|||
|
-If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204621"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204621r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description><VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86925</ident><ident system="http://cyber.mil/legacy">V-72301</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4745r89056_fix">Remove the TFTP package from the system with the following command:
|
|||
|
+If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204621"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-204621r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description><VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86925</ident><ident system="http://cyber.mil/legacy">V-72301</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4745r89056_fix">Remove the TFTP package from the system with the following command:
|
|||
|
|
|||
|
# yum remove tftp-server</fixtext><fix id="F-4745r89056_fix" /><check system="C-4745r89055_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify a TFTP server has not been installed on the system.
|
|||
|
|
|||
|
@@ -4798,7 +4753,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
|
|||
|
|
|||
|
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87041</ident><ident system="http://cyber.mil/legacy">V-72417</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-4755r462473_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
|
|||
|
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87041</ident><ident system="http://cyber.mil/legacy">V-72417</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4755r462473_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
|
|||
|
|
|||
|
Install the pam_pkcs11 package with the following command:
|
|||
|
|
|||
|
@@ -4819,7 +4774,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
|
|||
|
|
|||
|
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72427</ident><ident system="http://cyber.mil/legacy">SV-87051</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><fixtext fixref="F-4756r89089_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
|
|||
|
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72427</ident><ident system="http://cyber.mil/legacy">SV-87051</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4756r89089_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
|
|||
|
|
|||
|
Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.</fixtext><fix id="F-4756r89089_fix" /><check system="C-4756r89088_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
|
|||
|
|
|||
|
@@ -4839,7 +4794,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
|
|||
|
|
|||
|
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72433</ident><ident system="http://cyber.mil/legacy">SV-87057</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-4757r89092_fix">Configure the operating system to do certificate status checking for PKI authentication.
|
|||
|
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72433</ident><ident system="http://cyber.mil/legacy">SV-87057</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4757r89092_fix">Configure the operating system to do certificate status checking for PKI authentication.
|
|||
|
|
|||
|
Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".</fixtext><fix id="F-4757r89092_fix" /><check system="C-4757r89091_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for PKI authentication.
|
|||
|
|
|||
|
@@ -4887,30 +4842,20 @@ Note: System configuration files (indicated by a "c" in the second column) are e
|
|||
|
|
|||
|
# rpm -Va --noconfig | grep '^..5'
|
|||
|
|
|||
|
-If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-214800"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-214800r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description><VulnDiscussion>Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92255</ident><ident system="http://cyber.mil/legacy">SV-102357</ident><ident system="http://cyber.mil/cci">CCI-001263</ident><fixtext fixref="F-36317r602660_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-36317r602660_fix" /><check system="C-16000r462531_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
|
|||
|
+If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-214800"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-214800r754751_rule" weight="10.0" severity="medium"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92255</ident><ident system="http://cyber.mil/legacy">SV-102357</ident><ident system="http://cyber.mil/cci">CCI-001263</ident><fixtext fixref="F-36317r754750_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-36317r754750_fix" /><check system="C-16000r754749_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
|||
|
|
|||
|
Procedure:
|
|||
|
-Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:
|
|||
|
-
|
|||
|
-# rpm -qa | grep MFEhiplsm
|
|||
|
-
|
|||
|
-Verify that the McAfee HIPS module is active on the system:
|
|||
|
+Check that the following package has been installed:
|
|||
|
|
|||
|
-# ps -ef | grep -i “hipclient”
|
|||
|
+# rpm -qa | grep -i mcafeetp
|
|||
|
|
|||
|
-If the MFEhiplsm package is not installed, check for another intrusion detection system:
|
|||
|
+If the "mcafeetp" package is not installed, this is a finding.
|
|||
|
|
|||
|
-# find / -name <daemon name>
|
|||
|
+Verify that the daemon is running:
|
|||
|
|
|||
|
-Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system.
|
|||
|
+# ps -ef | grep -i mfetpd
|
|||
|
|
|||
|
-Determine if the application is active on the system:
|
|||
|
-
|
|||
|
-# ps -ef | grep -i <daemon name>
|
|||
|
-
|
|||
|
-If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.
|
|||
|
-
|
|||
|
-If no host-based intrusion detection system is installed and running on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214801"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-214801r603261_rule" weight="10.0" severity="high"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description><VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.
|
|||
|
+If the daemon is not running, this is a finding.</check-content></check></Rule></Group><Group id="V-214801"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-214801r603261_rule" weight="10.0" severity="high"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description><VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.
|
|||
|
|
|||
|
The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
|
|||
|
|
|||
|
@@ -4951,7 +4896,7 @@ Note: The example below is using the database "local" for the system, so the pat
|
|||
|
If the command does not return a result, this is a finding.
|
|||
|
</check-content></check></Rule></Group><Group id="V-219059"><title>SRG-OS-000114-GPOS-00059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-219059r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020111</version><title>The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.</title><description><VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-100023</ident><ident system="http://cyber.mil/legacy">SV-109127</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36318r602663_fix">Configure the graphical user interface to disable the ability to automount devices.
|
|||
|
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-100023</ident><ident system="http://cyber.mil/legacy">SV-109127</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-36318r602663_fix">Configure the graphical user interface to disable the ability to automount devices.
|
|||
|
|
|||
|
Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
|
|||
|
|
|||
|
@@ -5001,19 +4946,19 @@ If the output does not match the example above, this is a finding.
|
|||
|
|
|||
|
/org/gnome/desktop/media-handling/autorun-never
|
|||
|
|
|||
|
-If the output does not match the example, this is a finding.</check-content></check></Rule></Group><Group id="V-228563"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-228563r606406_rule" weight="10.0" severity="medium"><version>RHEL-07-021031</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</title><description><VulnDiscussion>If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
|
|||
|
-
|
|||
|
-The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-19547r377220_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-19547r377220_fix" /><check system="C-36355r622432_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:
|
|||
|
-
|
|||
|
-# find [PART] -xdev -type d -perm -0002 -uid +999 -print
|
|||
|
-
|
|||
|
+If the output does not match the example, this is a finding.</check-content></check></Rule></Group><Group id="V-228563"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-228563r744119_rule" weight="10.0" severity="medium"><version>RHEL-07-021031</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</title><description><VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
|
|||
|
+
|
|||
|
+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-19547r377220_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-19547r377220_fix" /><check system="C-36355r744118_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:
|
|||
|
+
|
|||
|
+# find [PART] -xdev -type d -perm -0002 -uid +999 -print
|
|||
|
+
|
|||
|
If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-228564"><title>SRG-OS-000057-GPOS-00027</title><description><GroupDescription></GroupDescription></description><Rule id="SV-228564r606407_rule" weight="10.0" severity="medium"><version>RHEL-07-910055</version><title>The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.</title><description><VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
|
|||
|
|
|||
|
To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
|
|||
|
|
|||
|
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001314</ident><ident system="http://cyber.mil/cci">CCI-000162</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><fixtext fixref="F-23603r419770_fix">Change the mode of the audit log files with the following command:
|
|||
|
+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000162</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><ident system="http://cyber.mil/cci">CCI-001314</ident><fixtext fixref="F-23603r419770_fix">Change the mode of the audit log files with the following command:
|
|||
|
|
|||
|
# chmod 0600 [audit_file]
|
|||
|
|
|||
|
@@ -5080,4 +5025,36 @@ Note: The "[value]" must be a number that is greater than or equal to "0".</fixt
|
|||
|
$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/*
|
|||
|
/etc/sudoers:Defaults timestamp_timout=0
|
|||
|
|
|||
|
-If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|||
|
\ No newline at end of file
|
|||
|
+If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244557"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244557r744063_rule" weight="10.0" severity="medium"><version>RHEL-07-010483</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47789r744062_fix">Configure the system to have a unique name for the grub superusers account.
|
|||
|
+
|
|||
|
+Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
+
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}</fixtext><fix id="F-47789r744062_fix" /><check system="C-47832r744061_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
+
|
|||
|
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify that a unique name is set as the "superusers" account:
|
|||
|
+
|
|||
|
+# grep -iw "superusers" /boot/grub2/grub.cfg
|
|||
|
+ set superusers="[someuniquestringhere]"
|
|||
|
+ export superusers
|
|||
|
+
|
|||
|
+If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group><Group id="V-244558"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244558r744066_rule" weight="10.0" severity="medium"><version>RHEL-07-010492</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47790r744065_fix">Configure the system to have a unique name for the grub superusers account.
|
|||
|
+
|
|||
|
+Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
+
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}</fixtext><fix id="F-47790r744065_fix" /><check system="C-47833r744064_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
+
|
|||
|
+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify that a unique name is set as the "superusers" account:
|
|||
|
+
|
|||
|
+$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
|
|||
|
+ set superusers="[someuniquestringhere]"
|
|||
|
+ export superusers
|
|||
|
+
|
|||
|
+If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|||
|
\ No newline at end of file
|
|||
|
diff --git a/shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml
|
|||
|
similarity index 78%
|
|||
|
rename from shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml
|
|||
|
rename to shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml
|
|||
|
index 1a6d105ee2b..abff501bb0e 100644
|
|||
|
--- a/shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml
|
|||
|
+++ b/shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml
|
|||
|
@@ -1,28 +1,30 @@
|
|||
|
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-03-04">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 23 Apr 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230242" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="
|
|||
|
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-06-14">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 3 Benchmark Date: 23 Jul 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230242" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="
|
|||
|
|
|||
|
-Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r567409_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
|||
|
+Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r743912_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
|||
|
|
|||
|
Check the version of the operating system with the following command:
|
|||
|
|
|||
|
$ sudo cat /etc/redhat-release
|
|||
|
|
|||
|
-Red Hat Enterprise Linux Server release 8.1 (Ootpa)
|
|||
|
+Red Hat Enterprise Linux Server release 8.4 (Ootpa)
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 8.1 is 30 April 2020.
|
|||
|
+Current End of Extended Update Support for RHEL 8.1 is 30 November 2021.
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 8.2 is 30 November 2020.
|
|||
|
+Current End of Extended Update Support for RHEL 8.2 is 30 April 2022.
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 8.3 is 30 April 2021.
|
|||
|
-
|
|||
|
-Current End of Maintenance Support for RHEL 8.4 is 30 November 2021.
|
|||
|
+Current End of Extended Update Support for RHEL 8.4 is 30 April 2023.
|
|||
|
|
|||
|
Current End of Maintenance Support for RHEL 8.5 is 30 April 2022.
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 8.6 is 30 November 2022.
|
|||
|
+Current End of Extended Update Support for RHEL 8.6 is 30 April 2024.
|
|||
|
|
|||
|
Current End of Maintenance Support for RHEL 8.7 is 30 April 2023.
|
|||
|
|
|||
|
-Current End of Maintenance Support for RHEL 8.8 is 30 November 2023.
|
|||
|
+Current End of Extended Update Support for RHEL 8.8 is 30 April 2025.
|
|||
|
+
|
|||
|
+Current End of Maintenance Support for RHEL 8.9 is 30 April 2024.
|
|||
|
+
|
|||
|
+Current End of Maintenance Support for RHEL 8.10 is 31 May 2029.
|
|||
|
|
|||
|
If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-230222"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230222r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010010</version><title>RHEL 8 vendor packaged system security patches and updates must be installed and up to date.</title><description><VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32866r567413_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-32866r567413_fix" /><check system="C-32891r567412_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
|
|||
|
|
|||
|
@@ -168,7 +170,7 @@ View the file specified by the banner keyword to check that it matches the text
|
|||
|
|
|||
|
If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
|
|||
|
|
|||
|
-If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-230226"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230226r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010050</version><title>RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|||
|
+If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-230226"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230226r743916_rule" weight="10.0" severity="medium"><version>RHEL-08-010050</version><title>RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|||
|
|
|||
|
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
|
|||
|
|
|||
|
@@ -188,38 +190,22 @@ By using this IS (which includes any device attached to this IS), you consent to
|
|||
|
|
|||
|
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-32870r567425_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
|
|||
|
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-32870r743915_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
|
|||
|
|
|||
|
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
|
|||
|
|
|||
|
-Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
|
|||
|
-
|
|||
|
-$ sudo touch /etc/dconf/db/local.d/01-banner-message
|
|||
|
-
|
|||
|
Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
|
|||
|
|
|||
|
-[org/gnome/login-screen]
|
|||
|
-
|
|||
|
-banner-message-enable=true
|
|||
|
-
|
|||
|
banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
|
|||
|
|
|||
|
Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface.
|
|||
|
|
|||
|
Run the following command to update the database:
|
|||
|
|
|||
|
-$ sudo dconf update</fixtext><fix id="F-32870r567425_fix" /><check system="C-32895r567424_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
|
|||
|
+$ sudo dconf update</fixtext><fix id="F-32870r743915_fix" /><check system="C-32895r743914_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
|
|||
|
|
|||
|
Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
|
|||
|
-Check to see if the operating system displays a banner at the logon screen with the following command:
|
|||
|
-
|
|||
|
-$ sudo grep banner-message-enable /etc/dconf/db/local.d/*
|
|||
|
-
|
|||
|
-banner-message-enable=true
|
|||
|
-
|
|||
|
-If "banner-message-enable" is set to "false" or is missing, this is a finding.
|
|||
|
-
|
|||
|
Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:
|
|||
|
|
|||
|
$ sudo grep banner-message-text /etc/dconf/db/local.d/*
|
|||
|
@@ -372,105 +358,71 @@ $ sudo cut -d: -f2 /etc/shadow
|
|||
|
|
|||
|
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
|
|||
|
|
|||
|
-Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.</check-content></check></Rule></Group><Group id="V-230233"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230233r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010130</version><title>RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|||
|
+Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.</check-content></check></Rule></Group><Group id="V-230233"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230233r743919_rule" weight="10.0" severity="medium"><version>RHEL-08-010130</version><title>The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|||
|
|
|||
|
-Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-32877r567446_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|||
|
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-32877r743918_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|||
|
|
|||
|
-Edit/modify the following line in the "/etc/pam.d/password-auth" and "etc/pam.d/system-auth" files and set "rounds" to a value no lower than "5000":
|
|||
|
+Edit/modify the following line in the "/etc/pam.d/password-auth" file and set "rounds" to a value no lower than "5000":
|
|||
|
|
|||
|
-password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-32877r567446_fix" /><check system="C-32902r567445_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following commands:
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-32877r743918_fix" /><check system="C-32902r743917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following command:
|
|||
|
|
|||
|
$ sudo grep rounds /etc/pam.d/password-auth
|
|||
|
|
|||
|
password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
|
|||
|
-$ sudo grep rounds /etc/pam.d/system-auth
|
|||
|
-
|
|||
|
-password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
-
|
|||
|
-If "rounds" has a value below "5000", or is commented out in either file, this is a finding.</check-content></check></Rule></Group><Group id="V-230234"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230234r627750_rule" weight="10.0" severity="high"><version>RHEL-08-010140</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32878r567449_fix">Configure the system to require a grub bootloader password for the grub superuser account.
|
|||
|
+If "rounds" has a value below "5000", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230234"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230234r743922_rule" weight="10.0" severity="high"><version>RHEL-08-010140</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32878r743921_fix">Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
|
|||
|
|
|||
|
-Generate an encrypted grub2 password for the grub superuser account with the following command:
|
|||
|
+Generate an encrypted grub2 password for the grub superusers account with the following command:
|
|||
|
|
|||
|
$ sudo grub2-setpassword
|
|||
|
Enter password:
|
|||
|
-Confirm password:
|
|||
|
-
|
|||
|
-Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
-
|
|||
|
-set superusers="[someuniquestringhere]"
|
|||
|
-export superusers</fixtext><fix id="F-32878r567449_fix" /><check system="C-32903r567448_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
+Confirm password:</fixtext><fix id="F-32878r743921_fix" /><check system="C-32903r743920_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
|
|||
|
-Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
|
|||
|
+Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
|
|||
|
|
|||
|
$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
|
|||
|
|
|||
|
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
|
|||
|
|
|||
|
-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
|
|||
|
-
|
|||
|
-Verify that a unique account name is set as the "superusers":
|
|||
|
-
|
|||
|
-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
|
|||
|
-set superusers="[someuniquestringhere]"
|
|||
|
-export superusers
|
|||
|
-
|
|||
|
-If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group><Group id="V-230235"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230235r627750_rule" weight="10.0" severity="high"><version>RHEL-08-010150</version><title>RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32879r567452_fix">Configure the system to require a grub bootloader password for the grub superuser account.
|
|||
|
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.</check-content></check></Rule></Group><Group id="V-230235"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230235r743925_rule" weight="10.0" severity="high"><version>RHEL-08-010150</version><title>RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32879r743924_fix">Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.
|
|||
|
|
|||
|
-Generate an encrypted grub2 password for the grub superuser account with the following command:
|
|||
|
+Generate an encrypted grub2 password for the grub superusers account with the following command:
|
|||
|
|
|||
|
$ sudo grub2-setpassword
|
|||
|
Enter password:
|
|||
|
-Confirm password:
|
|||
|
-
|
|||
|
-Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|||
|
+Confirm password:</fixtext><fix id="F-32879r743924_fix" /><check system="C-32904r743923_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
|
|||
|
-set superusers="[someuniquestringhere]"
|
|||
|
-export superusers</fixtext><fix id="F-32879r567452_fix" /><check system="C-32904r567451_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
-
|
|||
|
-Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
|
|||
|
+Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:
|
|||
|
|
|||
|
$ sudo grep -iw grub2_password /boot/grub2/user.cfg
|
|||
|
|
|||
|
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
|
|||
|
|
|||
|
-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
|
|||
|
-
|
|||
|
-Verify that a unique name is set as the "superusers":
|
|||
|
-
|
|||
|
-$ sudo grep -iw "superusers" /boot/grub2/grub.cfg
|
|||
|
-set superusers="[someuniquestringhere]"
|
|||
|
-export superusers
|
|||
|
-
|
|||
|
-If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group><Group id="V-230236"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230236r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010151</version><title>RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32880r567455_fix">Configure the system to require authentication upon booting into emergency or rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file.
|
|||
|
+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.</check-content></check></Rule></Group><Group id="V-230236"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230236r743928_rule" weight="10.0" severity="medium"><version>RHEL-08-010151</version><title>RHEL 8 operating systems must require authentication upon booting into rescue mode.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32880r743927_fix">Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file.
|
|||
|
|
|||
|
-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</fixtext><fix id="F-32880r567455_fix" /><check system="C-32905r567454_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check to see if the system requires authentication for rescue or emergency mode with the following command:
|
|||
|
+ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</fixtext><fix id="F-32880r743927_fix" /><check system="C-32905r743926_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check to see if the system requires authentication for rescue mode with the following command:
|
|||
|
|
|||
|
$ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service
|
|||
|
|
|||
|
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
|
|||
|
|
|||
|
-If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230237"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230237r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010160</version><title>The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
+If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230237"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230237r743931_rule" weight="10.0" severity="medium"><version>RHEL-08-010160</version><title>The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
|
|||
|
RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|||
|
|
|||
|
-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-32881r567458_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|||
|
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-32881r743930_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|||
|
|
|||
|
-Edit/modify the following line in the file "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to include the sha512 option for pam_unix.so:
|
|||
|
+Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so:
|
|||
|
|
|||
|
-password sufficient pam_unix.so sha512 rounds=5000 shadow remember=5</fixtext><fix id="F-32881r567458_fix" /><check system="C-32906r567457_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that pam_unix.so auth is configured to use sha512.
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-32881r743930_fix" /><check system="C-32906r743929_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the pam_unix.so module is configured to use sha512.
|
|||
|
|
|||
|
-Check that pam_unix.so auth is configured to use sha512 in both /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following command:
|
|||
|
+Check that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:
|
|||
|
|
|||
|
$ sudo grep password /etc/pam.d/password-auth | grep pam_unix
|
|||
|
|
|||
|
password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
|
|||
|
-$ sudo grep password /etc/pam.d/system-auth | grep pam_unix
|
|||
|
-
|
|||
|
-password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
-
|
|||
|
-If "sha512" is not an option in both outputs, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230238"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230238r646862_rule" weight="10.0" severity="medium"><version>RHEL-08-010161</version><title>RHEL 8 must prevent system daemons from using Kerberos for authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
+If "sha512" is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230238"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230238r646862_rule" weight="10.0" severity="medium"><version>RHEL-08-010161</version><title>RHEL 8 must prevent system daemons from using Kerberos for authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
|
|||
|
RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|||
|
|
|||
|
@@ -558,31 +510,30 @@ $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
|
|||
|
|
|||
|
drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp
|
|||
|
|
|||
|
-If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.</check-content></check></Rule></Group><Group id="V-230244"><title>SRG-OS-000163-GPOS-00072</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230244r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010200</version><title>RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description><VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
|
|||
|
+If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.</check-content></check></Rule></Group><Group id="V-230244"><title>SRG-OS-000163-GPOS-00072</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230244r743934_rule" weight="10.0" severity="medium"><version>RHEL-08-010200</version><title>RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description><VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
|
|||
|
|
|||
|
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
|
|||
|
|
|||
|
-RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. The default setting for "ClientAliveCountMax" is "3". If "ClientAliveInterval is set to "15" and "ClientAliveCountMax" is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds.
|
|||
|
+RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-32888r567479_fix">Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.
|
|||
|
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-32888r743933_fix">Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.
|
|||
|
|
|||
|
-Modify or append the following lines in the "/etc/ssh/sshd_config" file to have a product value of "600" or less:
|
|||
|
+Modify or append the following lines in the "/etc/ssh/sshd_config" file:
|
|||
|
|
|||
|
-ClientAliveInterval 600
|
|||
|
ClientAliveCountMax 0
|
|||
|
|
|||
|
In order for the changes to take effect, the SSH daemon must be restarted.
|
|||
|
|
|||
|
-$ sudo systemctl restart sshd.service</fixtext><fix id="F-32888r567479_fix" /><check system="C-32913r567478_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-32888r743933_fix" /><check system="C-32913r743932_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.
|
|||
|
|
|||
|
-Check that the "ClientAliveInterval" variable is set to a value of "600" or less and that the "ClientAliveCountMax" is set to "0" by performing the following command:
|
|||
|
+Check that the "ClientAliveCountMax" is set to "0" by performing the following command:
|
|||
|
|
|||
|
$ sudo grep -i clientalive /etc/ssh/sshd_config
|
|||
|
|
|||
|
ClientAliveInterval 600
|
|||
|
ClientAliveCountMax 0
|
|||
|
|
|||
|
-If "ClientAliveInterval" and "ClientAliveCountMax" do not exist, does not have a product value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230245"><title>SRG-OS-000206-GPOS-00084</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230245r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010210</version><title>The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.</title><description><VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
|
|||
|
+If "ClientAliveCountMax" do not exist, is not set to a value of "0" in "/etc/ssh/sshd_config", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230245"><title>SRG-OS-000206-GPOS-00084</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230245r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010210</version><title>The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.</title><description><VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
|
|||
|
|
|||
|
The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001314</ident><fixtext fixref="F-32889r567482_fix">Change the permissions of the file "/var/log/messages" to "0640" by running the following command:
|
|||
|
|
|||
|
@@ -642,96 +593,47 @@ $ sudo stat -c "%G" /var/log
|
|||
|
|
|||
|
root
|
|||
|
|
|||
|
-If "root" is not returned as a result, this is a finding.</check-content></check></Rule></Group><Group id="V-230251"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230251r646866_rule" weight="10.0" severity="medium"><version>RHEL-08-010290</version><title>The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|||
|
+If "root" is not returned as a result, this is a finding.</check-content></check></Rule></Group><Group id="V-230251"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230251r743937_rule" weight="10.0" severity="medium"><version>RHEL-08-010290</version><title>The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|||
|
|
|||
|
Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
|
|||
|
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
|
|||
|
|
|||
|
-RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.
|
|||
|
-
|
|||
|
-By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32895r567500_fix">Configure the RHEL 8 SSH daemon to use only MACs employing FIPS 140-2-approved algorithms with the following commands:
|
|||
|
-
|
|||
|
-$ sudo fips-mode-setup --enable
|
|||
|
-
|
|||
|
-Next, update the "/etc/crypto-policies/back-ends/openssh.config"
|
|||
|
-and "/etc/crypto-policies/back-ends/opensshserver.config" files to include these MACs employing FIPS 140-2-approved algorithms:
|
|||
|
-
|
|||
|
-/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'
|
|||
|
-
|
|||
|
-A reboot is required for the changes to take effect.</fixtext><fix id="F-32895r567500_fix" /><check system="C-32920r646865_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon is configured to use only MACs employing FIPS 140-2-approved algorithms:
|
|||
|
-
|
|||
|
-Verify that system-wide crypto policies are in effect:
|
|||
|
-
|
|||
|
-$ sudo grep -i crypto_policy /etc/sysconfig/sshd
|
|||
|
+RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
|
|||
|
|
|||
|
-# crypto_policy=
|
|||
|
-
|
|||
|
-If the "crypto_policy" is uncommented, this is a finding.
|
|||
|
-
|
|||
|
-Verify which system-wide crypto policy is in use:
|
|||
|
+The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.
|
|||
|
|
|||
|
-$ sudo update-crypto-policies --show
|
|||
|
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32895r743936_fix">Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line:
|
|||
|
|
|||
|
-FIPS
|
|||
|
+-oMACS=hmac-sha2-512,hmac-sha2-256
|
|||
|
|
|||
|
-Check that the MACs in the back-end configurations are FIPS 140-2-approved algorithms with the following command:
|
|||
|
+A reboot is required for the changes to take effect.</fixtext><fix id="F-32895r743936_fix" /><check system="C-32920r743935_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:
|
|||
|
|
|||
|
-$ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config
|
|||
|
+$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config
|
|||
|
|
|||
|
-/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'
|
|||
|
+-oMACS=hmac-sha2-512,hmac-sha2-256
|
|||
|
|
|||
|
-If the MAC entries in the "openssh.config" and "opensshserver.config" files have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, if they are missing, or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230252"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230252r646869_rule" weight="10.0" severity="medium"><version>RHEL-08-010291</version><title>The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|||
|
+If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, they are missing, or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230252"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230252r743940_rule" weight="10.0" severity="medium"><version>RHEL-08-010291</version><title>The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|||
|
|
|||
|
Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
|
|||
|
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
|
|||
|
|
|||
|
-RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.
|
|||
|
-
|
|||
|
-By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32896r646868_fix">Configure the RHEL 8 SSH daemon to use only ciphers employing FIPS 140-2-approved algorithms with the following command:
|
|||
|
+RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
|
|||
|
|
|||
|
-$ sudo fips-mode-setup --enable
|
|||
|
-
|
|||
|
-Next, update the "/etc/crypto-policies/back-ends/openssh.config" and "/etc/crypto-policies/back-ends/opensshserver.config" files to include these ciphers employing FIPS 140-2-approved algorithms:
|
|||
|
-
|
|||
|
-/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
|
|||
|
-
|
|||
|
-A reboot is required for the changes to take effect.</fixtext><fix id="F-32896r646868_fix" /><check system="C-32921r646867_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon is configured to use only ciphers employing FIPS 140-2-approved algorithms:
|
|||
|
-
|
|||
|
-Verify that system-wide crypto policies are in effect:
|
|||
|
-
|
|||
|
-$ sudo grep -i crypto_policy /etc/sysconfig/sshd
|
|||
|
+The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.
|
|||
|
|
|||
|
-# crypto_policy=
|
|||
|
-
|
|||
|
-If the "crypto_policy" is uncommented, this is a finding.
|
|||
|
-
|
|||
|
-Verify which system-wide crypto policy is in use:
|
|||
|
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32896r743939_fix">Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line:
|
|||
|
|
|||
|
-$ sudo update-crypto-policies --show
|
|||
|
-
|
|||
|
-FIPS
|
|||
|
+-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|||
|
|
|||
|
-Check that the ciphers in the back-end configurations are FIPS 140-2-approved algorithms with the following command:
|
|||
|
+A reboot is required for the changes to take effect.</fixtext><fix id="F-32896r743939_fix" /><check system="C-32921r743938_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:
|
|||
|
|
|||
|
-$ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config
|
|||
|
+$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config
|
|||
|
|
|||
|
-/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
|
|||
|
-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
|
|||
|
+CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
|
|||
|
|
|||
|
-If the cipher entries in the "openssh.config" and "opensshserver.config" files have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, if they are missing, or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230253"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230253r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010292</version><title>RHEL 8 must ensure the SSH server uses strong entropy.</title><description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
|
|||
|
+If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230253"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230253r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010292</version><title>RHEL 8 must ensure the SSH server uses strong entropy.</title><description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
|
|||
|
|
|||
|
The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32897r567506_fix">Configure the operating system SSH server to use strong entropy.
|
|||
|
|
|||
|
@@ -1116,7 +1018,7 @@ Check that the "/etc/sudoers" file has no occurrences of "!authenticate" by runn
|
|||
|
|
|||
|
$ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/*
|
|||
|
|
|||
|
-If any occurrences of "!authenticate" return from the command, this is a finding.</check-content></check></Rule></Group><Group id="V-230273"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230273r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010390</version><title>RHEL 8 must have the packages required for multifactor authentication installed.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|||
|
+If any occurrences of "!authenticate" return from the command, this is a finding.</check-content></check></Rule></Group><Group id="V-230273"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230273r743943_rule" weight="10.0" severity="medium"><version>RHEL-08-010390</version><title>RHEL 8 must have the packages required for multifactor authentication installed.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|||
|
|
|||
|
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.
|
|||
|
|
|||
|
@@ -1124,16 +1026,15 @@ A privileged account is defined as an information system account with authorizat
|
|||
|
|
|||
|
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
|
|||
|
-This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-32917r567566_fix">Configure the operating system to implement multifactor authentication by installing the required packages with the following command:
|
|||
|
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-32917r743942_fix">Configure the operating system to implement multifactor authentication by installing the required package with the following command:
|
|||
|
|
|||
|
-$ sudo yum install esc openssl-pkcs11</fixtext><fix id="F-32917r567566_fix" /><check system="C-32942r567565_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has the packages required for multifactor authentication installed with the following commands:
|
|||
|
+$ sudo yum install openssl-pkcs11</fixtext><fix id="F-32917r743942_fix" /><check system="C-32942r743941_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has the packages required for multifactor authentication installed with the following commands:
|
|||
|
|
|||
|
-$ sudo yum list installed esc openssl-pkcs11
|
|||
|
+$ sudo yum list installed openssl-pkcs11
|
|||
|
|
|||
|
-esc.x86_64 1.1.2-7.el8 @AppStream
|
|||
|
openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda
|
|||
|
|
|||
|
-If the "esc" and "openssl-pkcs11" packages are not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230274"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230274r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010400</version><title>RHEL 8 must implement certificate status checking for multifactor authentication.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|||
|
+If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230274"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230274r743945_rule" weight="10.0" severity="medium"><version>RHEL-08-010400</version><title>RHEL 8 must implement certificate status checking for multifactor authentication.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|||
|
|
|||
|
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.
|
|||
|
|
|||
|
@@ -1149,15 +1050,15 @@ certificate_verification = ocsp_dgst=sha1
|
|||
|
|
|||
|
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
|
|||
|
|
|||
|
-$ sudo systemctl restart sssd.service</fixtext><fix id="F-32918r567569_fix" /><check system="C-32943r567568_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for multifactor authentication.
|
|||
|
+$ sudo systemctl restart sssd.service</fixtext><fix id="F-32918r567569_fix" /><check system="C-32943r743944_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for multifactor authentication.
|
|||
|
|
|||
|
Check to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:
|
|||
|
|
|||
|
-$ sudo grep certificate_verification /etc/sssd/sssd.conf | grep -v "^#"
|
|||
|
+$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"
|
|||
|
|
|||
|
certificate_verification = ocsp_dgst=sha1
|
|||
|
|
|||
|
-If the certificate_verification line is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230275"><title>SRG-OS-000376-GPOS-00161</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230275r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010410</version><title>RHEL 8 must accept Personal Identity Verification (PIV) credentials.</title><description><VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
|
|||
|
+If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230275"><title>SRG-OS-000376-GPOS-00161</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230275r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010410</version><title>RHEL 8 must accept Personal Identity Verification (PIV) credentials.</title><description><VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
|
|||
|
|
|||
|
The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001953</ident><fixtext fixref="F-32919r567572_fix">Configure RHEL 8 to accept PIV credentials.
|
|||
|
|
|||
|
@@ -1218,17 +1119,17 @@ $ sudo grep page_poison /etc/default/grub
|
|||
|
|
|||
|
GRUB_CMDLINE_LINUX="page_poison=1"
|
|||
|
|
|||
|
-If "page_poison" is not set to "1", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230278"><title>SRG-OS-000134-GPOS-00068</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230278r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010422</version><title>RHEL 8 must disable virtual syscalls.</title><description><VulnDiscussion>Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
|
|||
|
+If "page_poison" is not set to "1", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230278"><title>SRG-OS-000134-GPOS-00068</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230278r743948_rule" weight="10.0" severity="medium"><version>RHEL-08-010422</version><title>RHEL 8 must disable virtual syscalls.</title><description><VulnDiscussion>Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
|
|||
|
|
|||
|
-Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns.
|
|||
|
+Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001084</ident><fixtext fixref="F-32922r567581_fix">Configure RHEL 8 to disable vsyscalls with the following commands:
|
|||
|
+Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001084</ident><fixtext fixref="F-32922r743947_fix">Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command:
|
|||
|
|
|||
|
$ sudo grubby --update-kernel=ALL --args="vsyscall=none"
|
|||
|
|
|||
|
Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
|
|||
|
|
|||
|
-GRUB_CMDLINE_LINUX="vsyscall=none"</fixtext><fix id="F-32922r567581_fix" /><check system="C-32947r567580_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that GRUB 2 is configured to disable vsyscalls with the following commands:
|
|||
|
+GRUB_CMDLINE_LINUX="vsyscall=none"</fixtext><fix id="F-32922r743947_fix" /><check system="C-32947r743946_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that GRUB 2 is configured to disable vsyscalls with the following commands:
|
|||
|
|
|||
|
Check that the current GRUB 2 configuration disables vsyscalls:
|
|||
|
|
|||
|
@@ -1244,7 +1145,7 @@ $ sudo grep vsyscall /etc/default/grub
|
|||
|
|
|||
|
GRUB_CMDLINE_LINUX="vsyscall=none"
|
|||
|
|
|||
|
-If "vsyscall" is not set to "none", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230279"><title>SRG-OS-000134-GPOS-00068</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230279r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010423</version><title>RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
|||
|
+If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230279"><title>SRG-OS-000134-GPOS-00068</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230279r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010423</version><title>RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
|||
|
|
|||
|
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
|
|||
|
|
|||
|
@@ -1385,13 +1286,13 @@ $ sudo ls -l /etc/ssh/*.pub
|
|||
|
|
|||
|
If any key.pub file has a mode more permissive than "0644", this is a finding.
|
|||
|
|
|||
|
-Note: SSH public key files may be found in other directories on the system depending on the installation.</check-content></check></Rule></Group><Group id="V-230287"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230287r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010490</version><title>The RHEL 8 SSH private host key files must have mode 0640 or less permissive.</title><description><VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32931r567608_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
|
|||
|
+Note: SSH public key files may be found in other directories on the system depending on the installation.</check-content></check></Rule></Group><Group id="V-230287"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230287r743951_rule" weight="10.0" severity="medium"><version>RHEL-08-010490</version><title>The RHEL 8 SSH private host key files must have mode 0600 or less permissive.</title><description><VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32931r743950_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:
|
|||
|
|
|||
|
-$ sudo chmod 0640 /etc/ssh/ssh_host*key
|
|||
|
+$ sudo chmod 0600 /etc/ssh/ssh_host*key
|
|||
|
|
|||
|
The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
|
|||
|
|
|||
|
-$ sudo systemctl restart sshd.service</fixtext><fix id="F-32931r567608_fix" /><check system="C-32956r567607_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH private host key files have mode "0640" or less permissive with the following command:
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-32931r743950_fix" /><check system="C-32956r743949_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH private host key files have mode "0600" or less permissive with the following command:
|
|||
|
|
|||
|
$ sudo ls -l /etc/ssh/ssh_host*key
|
|||
|
|
|||
|
@@ -1399,7 +1300,7 @@ $ sudo ls -l /etc/ssh/ssh_host*key
|
|||
|
-rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key
|
|||
|
-rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key
|
|||
|
|
|||
|
-If any private host key file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-230288"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230288r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010500</version><title>The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.</title><description><VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32932r567611_fix">Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes":
|
|||
|
+If any private host key file has a mode more permissive than "0600", this is a finding.</check-content></check></Rule></Group><Group id="V-230288"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230288r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010500</version><title>The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.</title><description><VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32932r567611_fix">Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes":
|
|||
|
|
|||
|
StrictModes yes
|
|||
|
|
|||
|
@@ -1411,17 +1312,17 @@ $ sudo grep -i strictmodes /etc/ssh/sshd_config
|
|||
|
|
|||
|
StrictModes yes
|
|||
|
|
|||
|
-If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230289"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230289r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010510</version><title>The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.</title><description><VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32933r567614_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "no":
|
|||
|
+If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230289"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230289r743954_rule" weight="10.0" severity="medium"><version>RHEL-08-010510</version><title>The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.</title><description><VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32933r743953_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
|
|||
|
|
|||
|
Compression no
|
|||
|
|
|||
|
-The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-32933r567614_fix" /><check system="C-32958r567613_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon performs compression after a user successfully authenticates with the following command:
|
|||
|
+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-32933r743953_fix" /><check system="C-32958r743952_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon performs compression after a user successfully authenticates with the following command:
|
|||
|
|
|||
|
$ sudo grep -i compression /etc/ssh/sshd_config
|
|||
|
|
|||
|
-Compression no
|
|||
|
+Compression delayed
|
|||
|
|
|||
|
-If the "Compression" keyword is set to "yes", "delayed", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230290"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230290r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010520</version><title>The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.</title><description><VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32934r567617_fix">Configure the SSH daemon to not allow authentication using known host’s authentication.
|
|||
|
+If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230290"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230290r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010520</version><title>The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.</title><description><VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32934r567617_fix">Configure the SSH daemon to not allow authentication using known host’s authentication.
|
|||
|
|
|||
|
Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
|
|||
|
|
|||
|
@@ -1435,23 +1336,21 @@ $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
|
|||
|
|
|||
|
IgnoreUserKnownHosts yes
|
|||
|
|
|||
|
-If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230291"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230291r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010521</version><title>The RHEL 8 SSH daemon must not allow unused methods of authentication.</title><description><VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32935r567620_fix">Configure the SSH daemon to not allow authentication using unused methods of authentication.
|
|||
|
+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230291"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230291r743957_rule" weight="10.0" severity="medium"><version>RHEL-08-010521</version><title>The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.</title><description><VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32935r743956_fix">Configure the SSH daemon to not allow Kerberos authentication.
|
|||
|
|
|||
|
Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
|
|||
|
|
|||
|
KerberosAuthentication no
|
|||
|
-GSSAPIAuthentication no
|
|||
|
|
|||
|
The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
|
|||
|
|
|||
|
-$ sudo systemctl restart sshd.service</fixtext><fix id="F-32935r567620_fix" /><check system="C-32960r567619_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not allow authentication using unused methods of authentication with the following command:
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-32935r743956_fix" /><check system="C-32960r743955_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not allow Kerberos authentication with the following command:
|
|||
|
|
|||
|
-$ sudo grep -i "KerberosAuthentication\|GSSAPIAuthentication" /etc/ssh/sshd_config
|
|||
|
+$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
|
|||
|
|
|||
|
KerberosAuthentication no
|
|||
|
-GSSAPIAuthentication no
|
|||
|
|
|||
|
-If the values are returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-230292"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230292r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010540</version><title>RHEL 8 must use a separate file system for /var.</title><description><VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32936r567623_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-32936r567623_fix" /><check system="C-32961r567622_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var".
|
|||
|
+If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-230292"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230292r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010540</version><title>RHEL 8 must use a separate file system for /var.</title><description><VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32936r567623_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-32936r567623_fix" /><check system="C-32961r567622_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var".
|
|||
|
|
|||
|
Check that a file system/partition has been created for "/var" with the following command:
|
|||
|
|
|||
|
@@ -1548,7 +1447,9 @@ $ sudo more /etc/fstab
|
|||
|
|
|||
|
UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0
|
|||
|
|
|||
|
-If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-230300"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230300r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010571</version><title>RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.</title><description><VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32944r567647_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.</fixtext><fix id="F-32944r567647_fix" /><check system="C-32969r567646_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the /boot directory is mounted with the "nosuid" option with the following command:
|
|||
|
+If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-230300"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230300r743959_rule" weight="10.0" severity="medium"><version>RHEL-08-010571</version><title>RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.</title><description><VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32944r567647_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.</fixtext><fix id="F-32944r567647_fix" /><check system="C-32969r743958_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify the /boot directory is mounted with the "nosuid" option with the following command:
|
|||
|
|
|||
|
$ sudo mount | grep '\s/boot\s'
|
|||
|
|
|||
|
@@ -1754,13 +1655,13 @@ $ sudo grep -i path /home/*/.*
|
|||
|
/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
|
|||
|
/home/[localinteractiveuser]/.bash_profile:export PATH
|
|||
|
|
|||
|
-If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230318"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230318r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010700</version><title>All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group.</title><description><VulnDiscussion>If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
|
|||
|
+If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230318"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230318r743960_rule" weight="10.0" severity="medium"><version>RHEL-08-010700</version><title>All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.</title><description><VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
|
|||
|
|
|||
|
The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32962r567701_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-32962r567701_fix" /><check system="C-32987r567700_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]:
|
|||
|
|
|||
|
$ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print
|
|||
|
|
|||
|
-If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-230319"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230319r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010710</version><title>All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.</title><description><VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
|
|||
|
+If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-230319"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230319r743961_rule" weight="10.0" severity="medium"><version>RHEL-08-010710</version><title>All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.</title><description><VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
|
|||
|
|
|||
|
The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32963r567704_fix">All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.</fixtext><fix id="F-32963r567704_fix" /><check system="C-32988r567703_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]:
|
|||
|
|
|||
|
@@ -1791,11 +1692,11 @@ $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /et
|
|||
|
|
|||
|
drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj
|
|||
|
|
|||
|
-If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-230322"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230322r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010740</version><title>All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.</title><description><VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32966r567713_fix">Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command:
|
|||
|
+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-230322"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230322r743963_rule" weight="10.0" severity="medium"><version>RHEL-08-010740</version><title>All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.</title><description><VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32966r567713_fix">Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command:
|
|||
|
|
|||
|
Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
|
|||
|
|
|||
|
-$ sudo chgrp users /home/smithj</fixtext><fix id="F-32966r567713_fix" /><check system="C-32991r567712_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:
|
|||
|
+$ sudo chgrp users /home/smithj</fixtext><fix id="F-32966r567713_fix" /><check system="C-32991r743962_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:
|
|||
|
|
|||
|
Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.
|
|||
|
|
|||
|
@@ -1805,7 +1706,7 @@ drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj
|
|||
|
|
|||
|
Check the user's primary group with the following command:
|
|||
|
|
|||
|
-$ sudo grep admin /etc/group
|
|||
|
+$ sudo grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group
|
|||
|
|
|||
|
admin:x:250:smithj,jonesj,jacksons
|
|||
|
|
|||
|
@@ -1977,38 +1878,17 @@ account required pam_faillock.so
|
|||
|
|
|||
|
If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, this is a finding.
|
|||
|
|
|||
|
-If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230333"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230333r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020011</version><title>RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32977r567746_fix">Configure the operating system to lock an account when three unsuccessful logon attempts occur.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-deny = 3</fixtext><fix id="F-32977r567746_fix" /><check system="C-33002r567745_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system locks an account after three unsuccessful logon attempts with the following commands:
|
|||
|
+If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230333"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230333r743966_rule" weight="10.0" severity="medium"><version>RHEL-08-020011</version><title>RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32977r743965_fix">Configure the operating system to lock an account when three unsuccessful logon attempts occur.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+deny = 3</fixtext><fix id="F-32977r743965_fix" /><check system="C-33002r743964_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts:
|
|||
|
|
|||
|
@@ -2052,38 +1932,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.</check-content></check></Rule></Group><Group id="V-230335"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230335r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020013</version><title>RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32979r567752_fix">Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-fail_interval = 900</fixtext><fix id="F-32979r567752_fix" /><check system="C-33004r567751_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands:
|
|||
|
+If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.</check-content></check></Rule></Group><Group id="V-230335"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230335r743969_rule" weight="10.0" severity="medium"><version>RHEL-08-020013</version><title>RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32979r743968_fix">Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+fail_interval = 900</fixtext><fix id="F-32979r743968_fix" /><check system="C-33004r743967_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes:
|
|||
|
|
|||
|
@@ -2091,7 +1950,7 @@ $ sudo grep 'fail_interval =' /etc/security/faillock.conf
|
|||
|
|
|||
|
fail_interval = 900
|
|||
|
|
|||
|
-If the "fail_interval" option is not set to "900" or less (but not "0"), is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230336"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230336r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020014</version><title>RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
+If the "fail_interval" option is not set to "900" or more, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230336"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230336r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020014</version><title>RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
|
|||
|
|
|||
|
@@ -2127,38 +1986,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.</check-content></check></Rule></Group><Group id="V-230337"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230337r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020015</version><title>RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32981r567758_fix">Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-unlock_time = 0</fixtext><fix id="F-32981r567758_fix" /><check system="C-33006r567757_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands:
|
|||
|
+If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.</check-content></check></Rule></Group><Group id="V-230337"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230337r743972_rule" weight="10.0" severity="medium"><version>RHEL-08-020015</version><title>RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32981r743971_fix">Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+unlock_time = 0</fixtext><fix id="F-32981r743971_fix" /><check system="C-33006r743970_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts:
|
|||
|
|
|||
|
@@ -2204,45 +2042,24 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.</check-content></check></Rule></Group><Group id="V-230339"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230339r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020017</version><title>RHEL 8 must ensure account lockouts persist.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32983r567764_fix">Configure the operating system maintain the contents of the faillock directory after a reboot.
|
|||
|
+If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.</check-content></check></Rule></Group><Group id="V-230339"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230339r743975_rule" weight="10.0" severity="medium"><version>RHEL-08-020017</version><title>RHEL 8 must ensure account lockouts persist.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32983r743974_fix">Configure the operating system maintain the contents of the faillock directory after a reboot.
|
|||
|
|
|||
|
Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-dir = /var/log/faillock</fixtext><fix id="F-32983r567764_fix" /><check system="C-33008r619903_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the faillock directory contents persist after a reboot with the following commands:
|
|||
|
-
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
-
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
-
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
-
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
-
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
-
|
|||
|
-Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot:
|
|||
|
-
|
|||
|
-$ sudo grep 'dir =' /etc/security/faillock.conf
|
|||
|
-
|
|||
|
-dir = /var/log/faillock
|
|||
|
-
|
|||
|
+dir = /var/log/faillock</fixtext><fix id="F-32983r743974_fix" /><check system="C-33008r743973_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+
|
|||
|
+Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot:
|
|||
|
+
|
|||
|
+$ sudo grep 'dir =' /etc/security/faillock.conf
|
|||
|
+
|
|||
|
+dir = /var/log/faillock
|
|||
|
+
|
|||
|
If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230340"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230340r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020018</version><title>RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
|
|||
|
@@ -2279,38 +2096,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230341"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230341r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020019</version><title>RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32985r567770_fix">Configure the operating system to prevent informative messages from being presented at logon attempts.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-silent</fixtext><fix id="F-32985r567770_fix" /><check system="C-33010r567769_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system prevents informative messages from being presented to the user pertaining to logon information with the following commands:
|
|||
|
+If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230341"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230341r743978_rule" weight="10.0" severity="medium"><version>RHEL-08-020019</version><title>RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32985r743977_fix">Configure the operating system to prevent informative messages from being presented at logon attempts.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+silent</fixtext><fix id="F-32985r743977_fix" /><check system="C-33010r743976_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to prevent informative messages from being presented at logon attempts:
|
|||
|
|
|||
|
@@ -2356,38 +2152,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230343"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230343r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020021</version><title>RHEL 8 must log user name information when unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32987r567776_fix">Configure the operating system to log user name information when unsuccessful logon attempts occur.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-audit</fixtext><fix id="F-32987r567776_fix" /><check system="C-33012r567775_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system logs user name information when unsuccessful logon attempts occur with the following commands:
|
|||
|
+If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230343"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230343r743981_rule" weight="10.0" severity="medium"><version>RHEL-08-020021</version><title>RHEL 8 must log user name information when unsuccessful logon attempts occur.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32987r743980_fix">Configure the operating system to log user name information when unsuccessful logon attempts occur.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+audit</fixtext><fix id="F-32987r743980_fix" /><check system="C-33012r743979_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:
|
|||
|
|
|||
|
@@ -2433,38 +2208,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3
|
|||
|
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
|
|||
|
account required pam_faillock.so
|
|||
|
|
|||
|
-If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230345"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230345r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020023</version><title>RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
-
|
|||
|
-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
-
|
|||
|
-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32989r567782_fix">Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
-
|
|||
|
-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
|
|||
|
-
|
|||
|
-auth required pam_faillock.so preauth
|
|||
|
-auth required pam_faillock.so authfail
|
|||
|
-account required pam_faillock.so
|
|||
|
-
|
|||
|
-Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
-
|
|||
|
-even_deny_root</fixtext><fix id="F-32989r567782_fix" /><check system="C-33014r567781_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands:
|
|||
|
+If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.</check-content></check></Rule></Group><Group id="V-230345"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230345r743984_rule" weight="10.0" severity="medium"><version>RHEL-08-020023</version><title>RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
|
|||
|
-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
|
|||
|
-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files:
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
|
|||
|
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-32989r743983_fix">Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.
|
|||
|
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/system-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/system-auth:account required pam_faillock.so
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so preauth
|
|||
|
-/etc/pam.d/password-auth:auth required pam_faillock.so authfail
|
|||
|
-/etc/pam.d/password-auth:account required pam_faillock.so preauth
|
|||
|
+Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
|||
|
|
|||
|
-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding.
|
|||
|
+even_deny_root</fixtext><fix id="F-32989r743983_fix" /><check system="C-33014r743982_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
|
|||
|
Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:
|
|||
|
|
|||
|
@@ -2513,31 +2267,17 @@ true
|
|||
|
|
|||
|
If the setting is "false", this is a finding.
|
|||
|
|
|||
|
-Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.</check-content></check></Rule></Group><Group id="V-230348"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230348r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020040</version><title>RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.</check-content></check></Rule></Group><Group id="V-230348"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230348r743987_rule" weight="10.0" severity="medium"><version>RHEL-08-020040</version><title>RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|||
|
|
|||
|
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
|||
|
|
|||
|
Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32992r567791_fix">Configure the operating system to enable a user to initiate a session lock via tmux.
|
|||
|
-
|
|||
|
-Install the "tmux" package, if it is not already installed, by running the following command:
|
|||
|
-
|
|||
|
-$ sudo yum install tmux
|
|||
|
-
|
|||
|
-Once installed, create a global configuration file "/etc/tmux.conf" and add the following line:
|
|||
|
-
|
|||
|
-set -g lock-command vlock</fixtext><fix id="F-32992r567791_fix" /><check system="C-33017r567790_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enables the user to initiate a session lock on command.
|
|||
|
-
|
|||
|
-Verify RHEL 8 has the "tmux" package installed, by running the following command:
|
|||
|
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32992r743986_fix">Configure the operating system to enable a user to initiate a session lock via tmux.
|
|||
|
|
|||
|
-$ sudo yum list installed tmux
|
|||
|
-
|
|||
|
-tmux.x86.64 2.7-1.el8 @repository
|
|||
|
+Create a global configuration file "/etc/tmux.conf" and add the following line:
|
|||
|
|
|||
|
-If "tmux" is not installed, this is a finding.
|
|||
|
-
|
|||
|
-Next verify that the lock-command is set in the global settings of tmux with the following command:
|
|||
|
+set -g lock-command vlock</fixtext><fix id="F-32992r743986_fix" /><check system="C-33017r743985_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enables the user to initiate a session lock with the following command:
|
|||
|
|
|||
|
$ sudo grep -i lock-command /etc/tmux.conf
|
|||
|
|
|||
|
@@ -2635,7 +2375,7 @@ $ sudo grep -i lock-after-time /etc/tmux.conf
|
|||
|
|
|||
|
set -g lock-after-time 900
|
|||
|
|
|||
|
-If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-230354"><title>SRG-OS-000029-GPOS-00010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230354r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020080</version><title>RHEL 8 must prevent a user from overriding graphical user interface settings.</title><description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
|
|||
|
+If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-230354"><title>SRG-OS-000029-GPOS-00010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230354r743990_rule" weight="10.0" severity="medium"><version>RHEL-08-020080</version><title>RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.</title><description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
|
|||
|
|
|||
|
The session lock is implemented at the point where session activity can be determined and/or controlled.
|
|||
|
|
|||
|
@@ -2643,7 +2383,7 @@ Implementing session settings will have little value if a user is able to manipu
|
|||
|
|
|||
|
Locking these settings from non-privileged users is crucial to maintaining a protected baseline.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-32998r567809_fix">Configure the operating system to prevent a user from overriding settings for graphical user interfaces.
|
|||
|
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-32998r743989_fix">Configure the operating system to prevent a user from overriding settings for graphical user interfaces.
|
|||
|
|
|||
|
Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
|
|||
|
|
|||
|
@@ -2651,16 +2391,9 @@ Note: The example below is using the database "local" for the system, so if the
|
|||
|
|
|||
|
$ sudo touch /etc/dconf/db/local.d/locks/session
|
|||
|
|
|||
|
-Add the following settings to prevent non-privileged users from modifying them:
|
|||
|
+Add the following setting to prevent non-privileged users from modifying it:
|
|||
|
|
|||
|
-/org/gnome/desktop/session/idle-delay
|
|||
|
-/org/gnome/desktop/screensaver/lock-enabled
|
|||
|
-/org/gnome/desktop/screensaver/lock-delay
|
|||
|
-/org/gnome/settings-daemon/plugins/media-keys/logout
|
|||
|
-/org/gnome/login-screen/disable-user-list
|
|||
|
-/org/gnome/login-screen/banner-message-text
|
|||
|
-/org/gnome/login-screen/banner-message-enable
|
|||
|
-/org/gnome/desktop/lockdown/disable-lock-screen</fixtext><fix id="F-32998r567809_fix" /><check system="C-33023r567808_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding graphical user interfaces.
|
|||
|
+/org/gnome/desktop/screensaver/lock-delay</fixtext><fix id="F-32998r743989_fix" /><check system="C-33023r743988_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding settings for graphical user interfaces.
|
|||
|
|
|||
|
Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
|
|||
|
@@ -2674,16 +2407,9 @@ Check that graphical settings are locked from non-privileged user modification w
|
|||
|
|
|||
|
Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
|
|||
|
|
|||
|
-$ sudo grep -i 'idle\|lock\|log\|user\|banner' /etc/dconf/db/local.d/locks/*
|
|||
|
+$ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*
|
|||
|
|
|||
|
-/org/gnome/desktop/session/idle-delay
|
|||
|
-/org/gnome/desktop/screensaver/lock-enabled
|
|||
|
/org/gnome/desktop/screensaver/lock-delay
|
|||
|
-/org/gnome/settings-daemon/plugins/media-keys/logout
|
|||
|
-/org/gnome/login-screen/disable-user-list
|
|||
|
-/org/gnome/login-screen/banner-message-text
|
|||
|
-/org/gnome/login-screen/banner-message-enable
|
|||
|
-/org/gnome/desktop/lockdown/disable-lock-screen
|
|||
|
|
|||
|
If the command does not return at least the example result, this is a finding.</check-content></check></Rule></Group><Group id="V-230355"><title>SRG-OS-000068-GPOS-00036</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230355r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020090</version><title>RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.</title><description><VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
|
|||
|
|
|||
|
@@ -3089,27 +2815,19 @@ gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
|
|||
|
|
|||
|
Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions.
|
|||
|
|
|||
|
-If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-230380"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230380r627750_rule" weight="10.0" severity="high"><version>RHEL-08-020330</version><title>RHEL 8 must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33024r567887_fix">Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" and add or edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords.
|
|||
|
+If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-230380"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230380r743993_rule" weight="10.0" severity="high"><version>RHEL-08-020330</version><title>RHEL 8 must not allow accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33024r743992_fix">Edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords.
|
|||
|
|
|||
|
PermitEmptyPasswords no
|
|||
|
|
|||
|
The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
|
|||
|
|
|||
|
-$ sudo systemctl restart sshd.service
|
|||
|
-
|
|||
|
-Note: Manual changes to the listed files may be overwritten by the "authselect" program.</fixtext><fix id="F-33024r567887_fix" /><check system="C-33049r567886_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>To verify that null passwords cannot be used, run the following commands:
|
|||
|
-
|
|||
|
-$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|||
|
-
|
|||
|
-If this produces any output, it may be possible to log on with accounts with empty passwords.
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-33024r743992_fix" /><check system="C-33049r743991_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>To verify that null passwords cannot be used, run the following command:
|
|||
|
|
|||
|
$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config
|
|||
|
|
|||
|
PermitEmptyPasswords no
|
|||
|
|
|||
|
-If "PermitEmptyPasswords" is set to "yes", or If null passwords can be used, this is a finding.
|
|||
|
-
|
|||
|
-Note: Manual changes to the listed files may be overwritten by the "authselect" program.</check-content></check></Rule></Group><Group id="V-230381"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230381r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020340</version><title>RHEL 8 must display the date and time of the last successful account logon upon logon.</title><description><VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33025r567890_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin".
|
|||
|
+If "PermitEmptyPasswords" is set to "yes", this is a finding.</check-content></check></Rule></Group><Group id="V-230381"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230381r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020340</version><title>RHEL 8 must display the date and time of the last successful account logon upon logon.</title><description><VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33025r567890_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin".
|
|||
|
|
|||
|
Add the following line to the top of "/etc/pam.d/postlogin":
|
|||
|
|
|||
|
@@ -3198,9 +2916,12 @@ $ sudo grep execve /etc/audit/audit.rules
|
|||
|
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv
|
|||
|
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
|
|||
|
|
|||
|
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230387"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230387r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030010</version><title>Cron logging must be implemented in RHEL 8.</title><description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33031r567908_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
|
|||
|
+If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230387"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230387r743996_rule" weight="10.0" severity="medium"><version>RHEL-08-030010</version><title>Cron logging must be implemented in RHEL 8.</title><description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33031r743995_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
|
|||
|
|
|||
|
-cron.* /var/log/cron.log</fixtext><fix id="F-33031r567908_fix" /><check system="C-33056r567907_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events with the following command:
|
|||
|
+cron.* /var/log/cron
|
|||
|
+
|
|||
|
+The rsyslog daemon must be restarted for the changes to take effect:
|
|||
|
+$ sudo systemctl restart rsyslog.service</fixtext><fix id="F-33031r743995_fix" /><check system="C-33056r743994_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events with the following command:
|
|||
|
|
|||
|
Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
|
|||
|
|
|||
|
@@ -3208,7 +2929,7 @@ $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
|||
|
|
|||
|
/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages
|
|||
|
/etc/rsyslog.conf:# Log cron stuff
|
|||
|
-/etc/rsyslog.conf:cron.* /var/log/cron.log
|
|||
|
+/etc/rsyslog.conf:cron.* /var/log/cron
|
|||
|
|
|||
|
If the command does not return a response, check for cron logging all facilities with the following command.
|
|||
|
|
|||
|
@@ -3264,15 +2985,15 @@ $ sudo grep disk_error_action /etc/audit/auditd.conf
|
|||
|
|
|||
|
disk_error_action = HALT
|
|||
|
|
|||
|
-If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.</check-content></check></Rule></Group><Group id="V-230391"><title>SRG-OS-000047-GPOS-00023</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230391r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030050</version><title>The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.</title><description><VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
|
|||
|
+If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.</check-content></check></Rule></Group><Group id="V-230391"><title>SRG-OS-000047-GPOS-00023</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230391r743998_rule" weight="10.0" severity="medium"><version>RHEL-08-030050</version><title>The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.</title><description><VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
|
|||
|
|
|||
|
When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
|
|||
|
|
|||
|
1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.
|
|||
|
|
|||
|
-2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000140</ident><fixtext fixref="F-33035r567920_fix">Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":
|
|||
|
+2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000140</ident><fixtext fixref="F-33035r743997_fix">Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":
|
|||
|
|
|||
|
-max_log_file_action=syslog</fixtext><fix id="F-33035r567920_fix" /><check system="C-33060r567919_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
|
|||
|
+max_log_file_action = syslog</fixtext><fix id="F-33035r743997_fix" /><check system="C-33060r567919_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
|
|||
|
|
|||
|
Check which action RHEL 8 takes when the audit storage volume is full with the following command:
|
|||
|
|
|||
|
@@ -3620,7 +3341,7 @@ $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules
|
|||
|
|
|||
|
-w /etc/sudoers.d/ -p wa -k identity
|
|||
|
|
|||
|
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230411"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230411r646881_rule" weight="10.0" severity="medium"><version>RHEL-08-030180</version><title>RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.</title><description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
|
|||
|
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230411"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230411r744000_rule" weight="10.0" severity="medium"><version>RHEL-08-030180</version><title>The RHEL 8 audit package must be installed.</title><description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
|
|||
|
|
|||
|
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
|
|||
|
|
|||
|
@@ -3630,9 +3351,9 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
|
|||
|
|
|||
|
Install the audit service (if the audit service is not already installed) with the following command:
|
|||
|
|
|||
|
-$ sudo yum install audit</fixtext><fix id="F-33055r646880_fix" /><check system="C-33080r646879_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is configured to produce audit records.
|
|||
|
+$ sudo yum install audit</fixtext><fix id="F-33055r646880_fix" /><check system="C-33080r743999_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is configured to produce audit records.
|
|||
|
|
|||
|
-Check that the audit service is installed properly with the following command:
|
|||
|
+Check that the audit service is installed with the following command:
|
|||
|
|
|||
|
$ sudo yum list installed audit
|
|||
|
|
|||
|
@@ -4038,17 +3759,17 @@ $ sudo grep -w "unix_chkpwd" /etc/audit/audit.rules
|
|||
|
|
|||
|
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
|
|||
|
|
|||
|
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230434"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230434r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030320</version><title>Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230434"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230434r744002_rule" weight="10.0" severity="medium"><version>RHEL-08-030320</version><title>Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication.
|
|||
|
|
|||
|
When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33078r568049_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" by adding or updating the following rule in the "/etc/audit/audit.rules" file:
|
|||
|
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33078r744001_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
|
|||
|
|
|||
|
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
|
|||
|
|
|||
|
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33078r568049_fix" /><check system="C-33103r568048_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|||
|
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33078r744001_fix" /><check system="C-33103r568048_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|||
|
|
|||
|
$ sudo grep ssh-keysign /etc/audit/audit.rules
|
|||
|
|
|||
|
@@ -4744,7 +4465,7 @@ $ sudo grep audit /etc/default/grub
|
|||
|
|
|||
|
GRUB_CMDLINE_LINUX="audit=1"
|
|||
|
|
|||
|
-If "audit" is not set to "1", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230469"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230469r627750_rule" weight="10.0" severity="low"><version>RHEL-08-030602</version><title>RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.</title><description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
+If "audit" is not set to "1", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230469"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230469r744004_rule" weight="10.0" severity="low"><version>RHEL-08-030602</version><title>RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.</title><description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
|
|||
|
|
|||
|
@@ -4756,13 +4477,13 @@ $ sudo grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
|
|||
|
|
|||
|
Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
|
|||
|
|
|||
|
-GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"</fixtext><fix id="F-33113r568154_fix" /><check system="C-33138r568153_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:
|
|||
|
+GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"</fixtext><fix id="F-33113r568154_fix" /><check system="C-33138r744003_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:
|
|||
|
|
|||
|
$ sudo grub2-editenv - list | grep audit
|
|||
|
|
|||
|
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82
|
|||
|
|
|||
|
-If the "audit_backlog_limit" entry does not equal "8192", is missing, or the line is commented out, this is a finding.
|
|||
|
+If the "audit_backlog_limit" entry does not equal "8192" or greater, is missing, or the line is commented out, this is a finding.
|
|||
|
|
|||
|
Check the audit_backlog_limit is set to persist in kernel updates:
|
|||
|
|
|||
|
@@ -4770,7 +4491,7 @@ $ sudo grep audit /etc/default/grub
|
|||
|
|
|||
|
GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"
|
|||
|
|
|||
|
-If "audit_backlog_limit" is not set to "8192", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230470"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230470r627750_rule" weight="10.0" severity="low"><version>RHEL-08-030603</version><title>RHEL 8 must enable Linux audit logging for the USBGuard daemon.</title><description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
+If "audit_backlog_limit" is not set to "8192" or greater, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230470"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230470r744006_rule" weight="10.0" severity="low"><version>RHEL-08-030603</version><title>RHEL 8 must enable Linux audit logging for the USBGuard daemon.</title><description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|||
|
|
|||
|
If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
|
|||
|
|
|||
|
@@ -4788,9 +4509,9 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record
|
|||
|
|
|||
|
4) All kernel module load, unload, and restart actions.
|
|||
|
|
|||
|
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33114r568157_fix">Configure RHEL 8 to enable Linux audit logging of the USBGuad daemon by adding or modifying the following line in "/etc/usbguard/usbguard-daemon.conf":
|
|||
|
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33114r744005_fix">Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by adding or modifying the following line in "/etc/usbguard/usbguard-daemon.conf":
|
|||
|
|
|||
|
-AuditBackend=LinuxAudit</fixtext><fix id="F-33114r568157_fix" /><check system="C-33139r568156_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands:
|
|||
|
+AuditBackend=LinuxAudit</fixtext><fix id="F-33114r744005_fix" /><check system="C-33139r568156_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands:
|
|||
|
|
|||
|
Note: If the USBGuard daemon is not installed and enabled, this requirement is not applicable.
|
|||
|
|
|||
|
@@ -4834,7 +4555,7 @@ $ sudo stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrac
|
|||
|
755 /sbin/rsyslogd
|
|||
|
755 /sbin/augenrules
|
|||
|
|
|||
|
-If any of the audit tools has a mode more permissive than "0755", this is a finding.</check-content></check></Rule></Group><Group id="V-230473"><title>SRG-OS-000256-GPOS-00097</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230473r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030630</version><title>RHEL 8 audit tools must be owned by root.</title><description><VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
|
|||
|
+If any of the audit tools has a mode more permissive than "0755", this is a finding.</check-content></check></Rule></Group><Group id="V-230473"><title>SRG-OS-000256-GPOS-00097</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230473r744008_rule" weight="10.0" severity="medium"><version>RHEL-08-030630</version><title>RHEL 8 audit tools must be owned by root.</title><description><VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
|
|||
|
|
|||
|
RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
|
|||
|
|
|||
|
@@ -4844,11 +4565,11 @@ Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPO
|
|||
|
|
|||
|
$ sudo chown root [audit_tool]
|
|||
|
|
|||
|
-Replace "[audit_tool]" with each audit tool not owned by "root".</fixtext><fix id="F-33117r568166_fix" /><check system="C-33142r568165_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.
|
|||
|
+Replace "[audit_tool]" with each audit tool not owned by "root".</fixtext><fix id="F-33117r568166_fix" /><check system="C-33142r744007_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.
|
|||
|
|
|||
|
Check the owner of each audit tool by running the following command:
|
|||
|
|
|||
|
-$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslog /sbin/augenrules
|
|||
|
+$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules
|
|||
|
|
|||
|
root /sbin/auditctl
|
|||
|
root /sbin/aureport
|
|||
|
@@ -4957,26 +4678,26 @@ $ sudo yum list installed rsyslog
|
|||
|
|
|||
|
rsyslog.x86_64 8.1911.0-3.el8 @AppStream
|
|||
|
|
|||
|
-If the "rsyslog" package is not installed, ask the administrator to indicate how audit logs are being offloaded and what packages are installed to support it. If there is no evidence of audit logs being offloaded, this is a finding.</check-content></check></Rule></Group><Group id="V-230478"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230478r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030680</version><title>RHEL 8 must have the packages required for encrypting offloaded audit logs installed.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
|||
|
+If the "rsyslog" package is not installed, ask the administrator to indicate how audit logs are being offloaded and what packages are installed to support it. If there is no evidence of audit logs being offloaded, this is a finding.</check-content></check></Rule></Group><Group id="V-230478"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230478r744011_rule" weight="10.0" severity="medium"><version>RHEL-08-030680</version><title>RHEL 8 must have the packages required for encrypting offloaded audit logs installed.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
|||
|
|
|||
|
Off-loading is a common process in information systems with limited audit storage capacity.
|
|||
|
|
|||
|
-RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
|
|||
|
+RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
|
|||
|
|
|||
|
Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.
|
|||
|
Examples of each configuration:
|
|||
|
UDP *.* @remotesystemname
|
|||
|
TCP *.* @@remotesystemname
|
|||
|
RELP *.* :omrelp:remotesystemname:2514
|
|||
|
-Note that a port number was given as there is no standard port for RELP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33122r568181_fix">Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command:
|
|||
|
+Note that a port number was given as there is no standard port for RELP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33122r744010_fix">Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command:
|
|||
|
|
|||
|
-$ sudo yum install gnutls</fixtext><fix id="F-33122r568181_fix" /><check system="C-33147r568180_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands:
|
|||
|
+$ sudo yum install rsyslog-gnutls</fixtext><fix id="F-33122r744010_fix" /><check system="C-33147r744009_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands:
|
|||
|
|
|||
|
-$ sudo yum list installed gnutls
|
|||
|
+$ sudo yum list installed rsyslog-gnutls
|
|||
|
|
|||
|
-gnutls.x86_64 3.6.8-9.el8 @anaconda
|
|||
|
+rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream
|
|||
|
|
|||
|
-If the "gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.</check-content></check></Rule></Group><Group id="V-230479"><title>SRG-OS-000342-GPOS-00133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230479r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030690</version><title>The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
|||
|
+If the "rsyslog-gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.</check-content></check></Rule></Group><Group id="V-230479"><title>SRG-OS-000342-GPOS-00133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230479r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030690</version><title>The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
|||
|
|
|||
|
Off-loading is a common process in information systems with limited audit storage capacity.
|
|||
|
|
|||
|
@@ -5064,19 +4785,17 @@ $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.
|
|||
|
|
|||
|
If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
|
|||
|
|
|||
|
-If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-230483"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230483r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030730</version><title>RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.</title><description><VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-33127r568196_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following lines in the /etc/audit/auditd.conf file.
|
|||
|
+If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-230483"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230483r744014_rule" weight="10.0" severity="medium"><version>RHEL-08-030730</version><title>RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.</title><description><VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-33127r744013_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.
|
|||
|
|
|||
|
space_left = 25%
|
|||
|
-space_left_action = email
|
|||
|
|
|||
|
-Note: Option names and values in the auditd.conf file are case insensitive.</fixtext><fix id="F-33127r568196_fix" /><check system="C-33152r568195_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:
|
|||
|
+Note: Option names and values in the auditd.conf file are case insensitive.</fixtext><fix id="F-33127r744013_fix" /><check system="C-33152r744012_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:
|
|||
|
|
|||
|
-$ sudo grep space_left /etc/audit/auditd.conf
|
|||
|
+$ sudo grep -w space_left /etc/audit/auditd.conf
|
|||
|
|
|||
|
space_left = 25%
|
|||
|
-space_left_action = email
|
|||
|
|
|||
|
-If the value of the "space_left" keyword is not set to "25%" and the "space_left_action" is not set to "email", or if these lines are commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
|
|||
|
+If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
|
|||
|
|
|||
|
If there is no evidence that real-time alerts are configured on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-230484"><title>SRG-OS-000355-GPOS-00143</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230484r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030740</version><title>RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).</title><description><VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
|
|||
|
|
|||
|
@@ -5322,34 +5041,34 @@ $ sudo grep -ri CAN /etc/modprobe.d/* | grep -i "blacklist"
|
|||
|
|
|||
|
blacklist CAN
|
|||
|
|
|||
|
-If the command does not return any output or the output is not "blacklist CAN", and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230496"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230496r627750_rule" weight="10.0" severity="low"><version>RHEL-08-040023</version><title>RHEL 8 must disable the stream control transmission (SCTP) protocol.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|||
|
+If the command does not return any output or the output is not "blacklist CAN", and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230496"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230496r744017_rule" weight="10.0" severity="low"><version>RHEL-08-040023</version><title>RHEL 8 must disable the stream control transmission protocol (SCTP).</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|||
|
|
|||
|
Failing to disconnect unused protocols can result in a system compromise.
|
|||
|
|
|||
|
-The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-33140r568235_fix">Configure the operating system to disable the ability to use the SCTP protocol kernel module.
|
|||
|
+The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-33140r744016_fix">Configure the operating system to disable the ability to use the SCTP kernel module.
|
|||
|
|
|||
|
Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
|
|||
|
|
|||
|
install SCTP /bin/true
|
|||
|
blacklist SCTP
|
|||
|
|
|||
|
-Reboot the system for the settings to take effect.</fixtext><fix id="F-33140r568235_fix" /><check system="C-33165r568234_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the SCTP protocol kernel module.
|
|||
|
+Reboot the system for the settings to take effect.</fixtext><fix id="F-33140r744016_fix" /><check system="C-33165r744015_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the SCTP kernel module.
|
|||
|
|
|||
|
$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i "/bin/true"
|
|||
|
|
|||
|
install SCTP /bin/true
|
|||
|
|
|||
|
-If the command does not return any output, or the line is commented out, and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
|
|||
|
+If the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
|
|||
|
|
|||
|
-Verify the operating system disables the ability to use the SCTP protocol.
|
|||
|
+Verify the operating system disables the ability to use the SCTP.
|
|||
|
|
|||
|
-Check to see if the SCTP protocol is disabled with the following command:
|
|||
|
+Check to see if the SCTP is disabled with the following command:
|
|||
|
|
|||
|
$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i "blacklist"
|
|||
|
|
|||
|
blacklist SCTP
|
|||
|
|
|||
|
-If the command does not return any output or the output is not "blacklist SCTP", and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230497"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230497r627750_rule" weight="10.0" severity="low"><version>RHEL-08-040024</version><title>RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|||
|
+If the command does not return any output or the output is not "blacklist SCTP", and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230497"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230497r627750_rule" weight="10.0" severity="low"><version>RHEL-08-040024</version><title>RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|||
|
|
|||
|
Failing to disconnect unused protocols can result in a system compromise.
|
|||
|
|
|||
|
@@ -5532,27 +5251,21 @@ $ sudo firewall-cmd --info-zone=[custom] | grep target
|
|||
|
|
|||
|
target: DROP
|
|||
|
|
|||
|
-If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.</check-content></check></Rule></Group><Group id="V-230505"><title>SRG-OS-000297-GPOS-00115</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230505r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040100</version><title>A firewall must be installed on RHEL 8.</title><description><VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
|
|||
|
+If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.</check-content></check></Rule></Group><Group id="V-230505"><title>SRG-OS-000297-GPOS-00115</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230505r744020_rule" weight="10.0" severity="medium"><version>RHEL-08-040100</version><title>A firewall must be installed on RHEL 8.</title><description><VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
|
|||
|
|
|||
|
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
|
|||
|
|
|||
|
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
|
|||
|
-RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-33149r568262_fix">Install "firewalld" and enable with the following commands:
|
|||
|
+RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-33149r744019_fix">Install "firewalld" with the following command:
|
|||
|
|
|||
|
-$ sudo yum install firewalld.noarch
|
|||
|
-
|
|||
|
-$ sudo systemctl enable firewalld</fixtext><fix id="F-33149r568262_fix" /><check system="C-33174r568261_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "firewalld" is installed and active with the following commands:
|
|||
|
+$ sudo yum install firewalld.noarch</fixtext><fix id="F-33149r744019_fix" /><check system="C-33174r744018_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "firewalld" is installed with the following commands:
|
|||
|
|
|||
|
$ sudo yum list installed firewalld
|
|||
|
|
|||
|
firewalld.noarch 0.7.0-5.el8
|
|||
|
|
|||
|
-$ sudo systemctl is-active firewalld
|
|||
|
-
|
|||
|
-active
|
|||
|
-
|
|||
|
-If the "firewalld" package is not installed and "active", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.</check-content></check></Rule></Group><Group id="V-230506"><title>SRG-OS-000299-GPOS-00117</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230506r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040110</version><title>RHEL 8 wireless network adapters must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
|
|||
|
+If the "firewalld" package is not installed, ask the System Administrator if another firewall is installed. If no firewall is installed this is a finding.</check-content></check></Rule></Group><Group id="V-230506"><title>SRG-OS-000299-GPOS-00117</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230506r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040110</version><title>RHEL 8 wireless network adapters must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
|
|||
|
|
|||
|
This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
|
|||
|
@@ -5890,7 +5603,7 @@ $ sudo cat /etc/fstab | grep /var/tmp
|
|||
|
|
|||
|
/dev/mapper/rhel-var-log-audit /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
|
|||
|
|
|||
|
-If results are returned and the "noexec" option is missing, or if /var/tmp is mounted without the "noexec" option, this is a finding.</check-content></check></Rule></Group><Group id="V-230523"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230523r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040135</version><title>The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|||
|
+If results are returned and the "noexec" option is missing, or if /var/tmp is mounted without the "noexec" option, this is a finding.</check-content></check></Rule></Group><Group id="V-230523"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230523r744023_rule" weight="10.0" severity="medium"><version>RHEL-08-040135</version><title>The RHEL 8 fapolicy module must be installed.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|||
|
|
|||
|
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
|
|||
|
|
|||
|
@@ -5898,138 +5611,64 @@ User home directories/folders may contain information of a sensitive nature. Non
|
|||
|
|
|||
|
RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.
|
|||
|
|
|||
|
-Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-33167r568316_fix">Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following commands:
|
|||
|
-
|
|||
|
-Install and enable "fapolicyd":
|
|||
|
-
|
|||
|
-$ sudo yum install fapolicyd.x86_64
|
|||
|
-
|
|||
|
-$ sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts
|
|||
|
-
|
|||
|
-$ sudo systemctl enable --now fapolicyd
|
|||
|
-
|
|||
|
-With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line:
|
|||
|
-
|
|||
|
-permissive = 1
|
|||
|
-
|
|||
|
-Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny all all".
|
|||
|
+Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
|
|||
|
|
|||
|
-Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
|
|||
|
+Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-33167r744022_fix">Install "fapolicyd" with the following command:
|
|||
|
|
|||
|
-permissive = 0</fixtext><fix id="F-33167r568316_fix" /><check system="C-33192r568315_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" is enabled and employs a deny-all, permit-by-exception policy.
|
|||
|
+$ sudo yum install fapolicyd.x86_64</fixtext><fix id="F-33167r744022_fix" /><check system="C-33192r744021_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" is installed.
|
|||
|
|
|||
|
-Check that "fapolicyd" is installed, running, and in enforcing mode with the following commands:
|
|||
|
+Check that "fapolicyd" is installed with the following command:
|
|||
|
|
|||
|
$ sudo yum list installed fapolicyd
|
|||
|
|
|||
|
Installed Packages
|
|||
|
fapolicyd.x86_64
|
|||
|
|
|||
|
-$ sudo systemctl status fapolicyd.service
|
|||
|
+If fapolicyd is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230524"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230524r744026_rule" weight="10.0" severity="medium"><version>RHEL-08-040140</version><title>RHEL 8 must block unauthorized peripherals before establishing a connection.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|||
|
|
|||
|
-fapolicyd.service - File Access Policy Daemon
|
|||
|
-Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
|
|||
|
-Active: active (running)
|
|||
|
+Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
|
|||
|
|
|||
|
-$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf
|
|||
|
+A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
|
|||
|
|
|||
|
-permissive = 0
|
|||
|
+The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-33168r744025_fix">Configure the operating system to enable the blocking of unauthorized peripherals with the following command:
|
|||
|
+This command must be run from a root shell and will create an allow list for any usb devices currently connect to the system.
|
|||
|
|
|||
|
-Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
|
|||
|
+# usbguard generate-policy > /etc/usbguard/rules.conf
|
|||
|
|
|||
|
-$ sudo tail /etc/fapolicyd/fapolicyd.rules
|
|||
|
+Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse</fixtext><fix id="F-33168r744025_fix" /><check system="C-33193r744024_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the USBGuard has a policy configured with the following command:
|
|||
|
|
|||
|
-allow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-pyton
|
|||
|
-deny_audit pattern ld_so all
|
|||
|
-deny all all
|
|||
|
+$ sudo usbguard list-rules
|
|||
|
|
|||
|
-$ sudo cat /etc/fapolicyd/fapolicyd.mounts
|
|||
|
+If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.
|
|||
|
|
|||
|
-/dev/shm
|
|||
|
-/run
|
|||
|
-/sys/fs/cgroup
|
|||
|
-/
|
|||
|
-/home
|
|||
|
-/boot
|
|||
|
-/run/user/42
|
|||
|
-/run/user/1000
|
|||
|
+If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.</check-content></check></Rule></Group><Group id="V-230525"><title>SRG-OS-000420-GPOS-00186</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230525r744029_rule" weight="10.0" severity="medium"><version>RHEL-08-040150</version><title>A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.</title><description><VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
|
|||
|
|
|||
|
-If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.</check-content></check></Rule></Group><Group id="V-230524"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230524r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040140</version><title>RHEL 8 must block unauthorized peripherals before establishing a connection.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|||
|
+This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
|
|||
|
|
|||
|
-Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
|
|||
|
+Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-33169r744028_fix">Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf":
|
|||
|
|
|||
|
-A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
|
|||
|
+FirewallBackend=nftables
|
|||
|
|
|||
|
-The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-33168r568319_fix">Configure the operating system to enable the blocking of unauthorized peripherals with the following commands:
|
|||
|
+Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.</fixtext><fix id="F-33169r744028_fix" /><check system="C-33194r744027_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify "nftables" is configured to allow rate limits on any connection to the system with the following command:
|
|||
|
|
|||
|
-$ sudo yum install usbguard.x86_64
|
|||
|
+Verify "firewalld" has "nftables" set as the default backend:
|
|||
|
|
|||
|
-$ sudo usbguard generate-policy > /etc/usbguard/rules.conf
|
|||
|
+$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf
|
|||
|
|
|||
|
-$ sudo systemctl enable usbguard.service
|
|||
|
+# FirewallBackend
|
|||
|
+FirewallBackend=nftables
|
|||
|
|
|||
|
-$ sudo systemctl start usbguard.service
|
|||
|
+If the "nftables" is not set as the "firewallbackend" default, this is a finding.</check-content></check></Rule></Group><Group id="V-230526"><title>SRG-OS-000423-GPOS-00187</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230526r744032_rule" weight="10.0" severity="medium"><version>RHEL-08-040160</version><title>All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
|
|||
|
-Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse</fixtext><fix id="F-33168r568319_fix" /><check system="C-33193r568318_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has enabled the use of USBGuard with the following command:
|
|||
|
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
|
|||
|
-$ sudo systemctl status usbguard.service
|
|||
|
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
|
|||
|
-usbguard.service - USBGuard daemon
|
|||
|
-Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)
|
|||
|
-Active: active (running)
|
|||
|
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-33170r744031_fix">Configure the SSH service to automatically start after reboot with the following command:
|
|||
|
|
|||
|
-If the usbguard.service is not installed and active, ask the SA to indicate how unauthorized peripherals are being blocked.
|
|||
|
+$ sudo systemctl enable sshd.service</fixtext><fix id="F-33170r744031_fix" /><check system="C-33195r744030_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify SSH is loaded and active with the following command:
|
|||
|
|
|||
|
-If there is no evidence that unauthorized peripherals can be blocked before establishing a connection, this is a finding.</check-content></check></Rule></Group><Group id="V-230525"><title>SRG-OS-000420-GPOS-00186</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230525r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040150</version><title>A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.</title><description><VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
|
|||
|
-
|
|||
|
-This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
|
|||
|
-
|
|||
|
-Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-33169r568322_fix">Install "nftables" packages onto the host with the following commands:
|
|||
|
-
|
|||
|
-$ sudo yum install nftables.x86_64 1:0.9.0-14.el8
|
|||
|
-
|
|||
|
-Configure the "nftables" service to automatically start after reboot with the following command:
|
|||
|
-
|
|||
|
-$ sudo systemctl enable nftables.service
|
|||
|
-
|
|||
|
-Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf":
|
|||
|
-
|
|||
|
-FirewallBackend=nftables
|
|||
|
-
|
|||
|
-Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.</fixtext><fix id="F-33169r568322_fix" /><check system="C-33194r568321_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify "nftables" is configured to allow rate limits on any connection to the system with the following commands:
|
|||
|
-
|
|||
|
-Check that the "nftables.service" is active and running:
|
|||
|
-
|
|||
|
-$ sudo systemctl status nftables.service
|
|||
|
-
|
|||
|
-nftables.service - Netfilter Tables
|
|||
|
-Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
|
|||
|
-Active: active (running)
|
|||
|
-
|
|||
|
-Verify "firewalld" has "nftables" set as the default backend:
|
|||
|
-
|
|||
|
-$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf
|
|||
|
-
|
|||
|
-# FirewallBackend
|
|||
|
-FirewallBackend=nftables
|
|||
|
-
|
|||
|
-If the "nftables" is not active, running and set as the "firewallbackend" default, this is a finding.</check-content></check></Rule></Group><Group id="V-230526"><title>SRG-OS-000423-GPOS-00187</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230526r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040160</version><title>All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
-
|
|||
|
-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
-
|
|||
|
-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-33170r568325_fix">Install SSH packages onto the host with the following commands:
|
|||
|
-
|
|||
|
-$ sudo yum install openssh-server.x86_64
|
|||
|
-
|
|||
|
-Configure the SSH service to automatically start after reboot with the following command:
|
|||
|
-
|
|||
|
-$ sudo systemctl enable sshd.service</fixtext><fix id="F-33170r568325_fix" /><check system="C-33195r568324_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify SSH is loaded and active with the following command:
|
|||
|
-
|
|||
|
-$ sudo systemctl status sshd
|
|||
|
+$ sudo systemctl status sshd
|
|||
|
|
|||
|
sshd.service - OpenSSH server daemon
|
|||
|
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
|
|||
|
@@ -6038,9 +5677,7 @@ Main PID: 1348 (sshd)
|
|||
|
CGroup: /system.slice/sshd.service
|
|||
|
1053 /usr/sbin/sshd -D
|
|||
|
|
|||
|
-If "sshd" does not show a status of "active" and "running", this is a finding.
|
|||
|
-
|
|||
|
-If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230527"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230527r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040161</version><title>RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
+If "sshd" does not show a status of "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-230527"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230527r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040161</version><title>RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
|
|||
|
This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
|
|||
|
@@ -6060,26 +5697,6 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config
|
|||
|
|
|||
|
RekeyLimit 1G 1h
|
|||
|
|
|||
|
-If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230528"><title>SRG-OS-000033-GPOS-00014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230528r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040162</version><title>RHEL 8 must force a frequent session key renegotiation for SSH connections by the client.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
-
|
|||
|
-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
-
|
|||
|
-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
-
|
|||
|
-Session key regeneration limits the chances of a session key becoming compromised.
|
|||
|
-
|
|||
|
-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000420-GPOS-00186, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-33172r568331_fix">Configure the system to force a frequent session key renegotiation for SSH connections by the client by add or modifying the following line in the "/etc/ssh/ssh_config" file:
|
|||
|
-
|
|||
|
-RekeyLimit 1G 1h
|
|||
|
-
|
|||
|
-Restart the SSH daemon for the settings to take effect.
|
|||
|
-
|
|||
|
-$ sudo systemctl restart sshd.service</fixtext><fix id="F-33172r568331_fix" /><check system="C-33197r568330_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH client is configured to force frequent session key renegotiation with the following command:
|
|||
|
-
|
|||
|
-$ sudo grep -i RekeyLimit /etc/ssh/ssh_config
|
|||
|
-
|
|||
|
-RekeyLimit 1G 1h
|
|||
|
-
|
|||
|
If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230529r627750_rule" weight="10.0" severity="high"><version>RHEL-08-040170</version><title>The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.</title><description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33173r619888_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
|
|||
|
|
|||
|
$ sudo systemctl mask ctrl-alt-del.target
|
|||
|
@@ -6157,28 +5774,23 @@ If the account is associated with system commands or applications, the UID shoul
|
|||
|
|
|||
|
$ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd
|
|||
|
|
|||
|
-If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33179r568352_fix">Configure RHEL 8 to prevent ICMP redirect messages from being accepted with the following command:
|
|||
|
-
|
|||
|
-$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
|
|||
|
+If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r744035_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33179r744034_fix">Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command:
|
|||
|
|
|||
|
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
|
|||
|
|
|||
|
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv4.conf.default.accept_redirects=0
|
|||
|
-
|
|||
|
-net.ipv6.conf.default.accept_redirects=0</fixtext><fix id="F-33179r568352_fix" /><check system="C-33204r568351_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept ICMP redirect messages.
|
|||
|
+net.ipv6.conf.default.accept_redirects=0</fixtext><fix id="F-33179r744034_fix" /><check system="C-33204r744033_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv6 ICMP redirect messages.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the default "accept_redirects" variables with the following command:
|
|||
|
|
|||
|
-$ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects
|
|||
|
+$ sudo sysctl net.ipv6.conf.default.accept_redirects
|
|||
|
|
|||
|
-net.ipv4.conf.default.accept_redirects = 0
|
|||
|
net.ipv6.conf.default.accept_redirects = 0
|
|||
|
|
|||
|
-If the returned lines do not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r744037_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
|||
|
|
|||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33180r568355_fix">Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects with the following command:
|
|||
|
|
|||
|
@@ -6186,9 +5798,9 @@ $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
|
|||
|
|
|||
|
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv4.conf.all.send_redirects=0</fixtext><fix id="F-33180r568355_fix" /><check system="C-33205r568354_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
|||
|
+net.ipv4.conf.all.send_redirects=0</fixtext><fix id="F-33180r568355_fix" /><check system="C-33205r744036_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the "all send_redirects" variables with the following command:
|
|||
|
|
|||
|
@@ -6196,7 +5808,7 @@ $ sudo sysctl net.ipv4.conf.all.send_redirects
|
|||
|
|
|||
|
net.ipv4.conf.all.send_redirects = 0
|
|||
|
|
|||
|
-If the returned line does not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
|||
|
+If the returned line does not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r744039_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
|||
|
|
|||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33181r568358_fix">Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address with the following command:
|
|||
|
|
|||
|
@@ -6204,59 +5816,48 @@ $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
|||
|
|
|||
|
If "1" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv4.icmp_echo_ignore_broadcasts=1</fixtext><fix id="F-33181r568358_fix" /><check system="C-33206r568357_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
|||
|
-
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+net.ipv4.icmp_echo_ignore_broadcasts=1</fixtext><fix id="F-33181r568358_fix" /><check system="C-33206r744038_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
|||
|
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command:
|
|||
|
|
|||
|
$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts
|
|||
|
|
|||
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|||
|
|
|||
|
-If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33182r568361_fix">Configure RHEL 8 to not forward source-routed packets with the following commands:
|
|||
|
-
|
|||
|
-$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
|
|||
|
+If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r744042_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33182r744041_fix">Configure RHEL 8 to not forward IPv6 source-routed packets with the following command:
|
|||
|
|
|||
|
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
|
|||
|
|
|||
|
-If "0" is not the system's all value then add or update the following lines in the appropriate file under "/etc/sysctl.d":
|
|||
|
-
|
|||
|
-net.ipv4.conf.all.accept_source_route=0
|
|||
|
+If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv6.conf.all.accept_source_route=0</fixtext><fix id="F-33182r568361_fix" /><check system="C-33207r568360_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept source-routed packets.
|
|||
|
+net.ipv6.conf.all.accept_source_route=0</fixtext><fix id="F-33182r744041_fix" /><check system="C-33207r744040_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the accept source route variable with the following command:
|
|||
|
|
|||
|
-$ sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route
|
|||
|
+$ sudo sysctl net.ipv6.conf.all.accept_source_route
|
|||
|
|
|||
|
-net.ipv4.conf.all.accept_source_route = 0
|
|||
|
net.ipv6.conf.all.accept_source_route = 0
|
|||
|
|
|||
|
-If the returned lines do not have a value of "0", a line is not returned, or either returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33183r568364_fix">Configure RHEL 8 to not forward source-routed packets by default with the following commands:
|
|||
|
-
|
|||
|
-$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r744045_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33183r744044_fix">Configure RHEL 8 to not forward IPv6 source-routed packets by default with the following command:
|
|||
|
|
|||
|
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
|
|||
|
|
|||
|
-If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d":
|
|||
|
-
|
|||
|
-net.ipv4.conf.default.accept_source_route=0
|
|||
|
+If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv6.conf.default.accept_source_route=0</fixtext><fix id="F-33183r568364_fix" /><check system="C-33208r568363_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept source-routed packets by default.
|
|||
|
+net.ipv6.conf.default.accept_source_route=0</fixtext><fix id="F-33183r744044_fix" /><check system="C-33208r744043_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets by default.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the accept source route variable with the following command:
|
|||
|
|
|||
|
-$ sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route
|
|||
|
+$ sudo sysctl net.ipv6.conf.default.accept_source_route
|
|||
|
|
|||
|
-net.ipv4.conf.default.accept_source_route = 0
|
|||
|
net.ipv6.conf.default.accept_source_route = 0
|
|||
|
|
|||
|
-If the returned lines do not have a value of "0", a line is not returned, or either returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not be performing packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33184r568367_fix">Configure RHEL 8 to not allow packet forwarding, unless the system is a router with the following commands:
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not be performing packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33184r568367_fix">Configure RHEL 8 to not allow packet forwarding, unless the system is a router with the following commands:
|
|||
|
|
|||
|
$ sudo sysctl -w net.ipv4.ip_forward=0
|
|||
|
|
|||
|
@@ -6316,7 +5917,7 @@ $ sudo sysctl net.ipv6.conf.default.accept_ra
|
|||
|
|
|||
|
net.ipv6.conf.default.accept_ra = 0
|
|||
|
|
|||
|
-If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
|||
|
+If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r744047_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
|||
|
|
|||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33187r568376_fix">Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command:
|
|||
|
|
|||
|
@@ -6324,9 +5925,9 @@ $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
|
|||
|
|
|||
|
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv4.conf.default.send_redirects=0</fixtext><fix id="F-33187r568376_fix" /><check system="C-33212r568375_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
|||
|
+net.ipv4.conf.default.send_redirects=0</fixtext><fix id="F-33187r568376_fix" /><check system="C-33212r744046_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the "default send_redirects" variables with the following command:
|
|||
|
|
|||
|
@@ -6334,28 +5935,23 @@ $ sudo sysctl net.ipv4.conf.default.send_redirects
|
|||
|
|
|||
|
net.ipv4.conf.default.send_redirects=0
|
|||
|
|
|||
|
-If the returned line does not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33188r568379_fix">Configure RHEL 8 to ignore ICMP redirect messages with the following commands:
|
|||
|
-
|
|||
|
-$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
|
|||
|
+If the returned line does not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r744050_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33188r744049_fix">Configure RHEL 8 to ignore IPv6 ICMP redirect messages with the following command:
|
|||
|
|
|||
|
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
|
|||
|
|
|||
|
-If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d":
|
|||
|
-
|
|||
|
-net.ipv4.conf.all.accept_redirects = 0
|
|||
|
+If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
|
|||
|
-net.ipv6.conf.all.accept_redirects = 0</fixtext><fix id="F-33188r568379_fix" /><check system="C-33213r568378_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores ICMP redirect messages.
|
|||
|
+net.ipv6.conf.all.accept_redirects = 0</fixtext><fix id="F-33188r744049_fix" /><check system="C-33213r744048_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv6 ICMP redirect messages.
|
|||
|
|
|||
|
-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.
|
|||
|
+Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
|||
|
|
|||
|
Check the value of the "accept_redirects" variables with the following command:
|
|||
|
|
|||
|
-$ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects
|
|||
|
+$ sudo sysctl net.ipv6.conf.all.accept_redirects
|
|||
|
|
|||
|
-net.ipv4.conf.all.accept_redirects = 0
|
|||
|
net.ipv6.conf.all.accept_redirects = 0
|
|||
|
|
|||
|
-If both of the returned lines do not have a value of "0", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r568382_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r568382_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
|
|||
|
|
|||
|
kernel.unprivileged_bpf_disabled = 1
|
|||
|
|
|||
|
@@ -6656,4 +6252,664 @@ Note: The "[value]" must be a number that is greater than or equal to "0".</fixt
|
|||
|
$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/*
|
|||
|
/etc/sudoers:Defaults timestamp_timout=0
|
|||
|
|
|||
|
-If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|||
|
\ No newline at end of file
|
|||
|
+If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244519"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244519r743806_rule" weight="10.0" severity="medium"><version>RHEL-08-010049</version><title>RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|||
|
+
|
|||
|
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-47751r743805_fix">Configure the operating system to display a banner before granting access to the system.
|
|||
|
+
|
|||
|
+Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
|
|||
|
+
|
|||
|
+$ sudo touch /etc/dconf/db/local.d/01-banner-message
|
|||
|
+
|
|||
|
+Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
|
|||
|
+
|
|||
|
+[org/gnome/login-screen]
|
|||
|
+
|
|||
|
+banner-message-enable=true
|
|||
|
+
|
|||
|
+Run the following command to update the database:
|
|||
|
+
|
|||
|
+$ sudo dconf update</fixtext><fix id="F-47751r743805_fix" /><check system="C-47794r743804_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon.
|
|||
|
+
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Check to see if the operating system displays a banner at the logon screen with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep banner-message-enable /etc/dconf/db/local.d/*
|
|||
|
+
|
|||
|
+banner-message-enable=true
|
|||
|
+
|
|||
|
+If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244520"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244520r743809_rule" weight="10.0" severity="medium"><version>RHEL-08-010131</version><title>The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|||
|
+
|
|||
|
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-47752r743808_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|||
|
+
|
|||
|
+Edit/modify the following line in the "etc/pam.d/system-auth" file and set "rounds" to a value no lower than "5000":
|
|||
|
+
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-47752r743808_fix" /><check system="C-47795r743807_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following command:
|
|||
|
+
|
|||
|
+$ sudo grep rounds /etc/pam.d/system-auth
|
|||
|
+
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
+
|
|||
|
+If "rounds" has a value below "5000", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244521"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244521r743812_rule" weight="10.0" severity="medium"><version>RHEL-08-010141</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47753r743811_fix">Configure the system to have a unique name for the grub superusers account.
|
|||
|
+
|
|||
|
+Edit the /etc/grub.d/01_users file and add or modify the following lines:
|
|||
|
+
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
|
|||
|
+
|
|||
|
+Generate a new grub.cfg file with the following command:
|
|||
|
+
|
|||
|
+$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</fixtext><fix id="F-47753r743811_fix" /><check system="C-47796r743810_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify that a unique name is set as the "superusers" account:
|
|||
|
+
|
|||
|
+$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+
|
|||
|
+If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group><Group id="V-244522"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244522r743815_rule" weight="10.0" severity="medium"><version>RHEL-08-010149</version><title>RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47754r743814_fix">Configure the system to have a unique name for the grub superusers account.
|
|||
|
+
|
|||
|
+Edit the /etc/grub.d/01_users file and add or modify the following lines:
|
|||
|
+
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
|
|||
|
+
|
|||
|
+Generate a new grub.cfg file with the following command:
|
|||
|
+
|
|||
|
+$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg</fixtext><fix id="F-47754r743814_fix" /><check system="C-47797r743813_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify that a unique name is set as the "superusers" account:
|
|||
|
+
|
|||
|
+$ sudo grep -iw "superusers" /boot/grub2/grub.cfg
|
|||
|
+set superusers="[someuniquestringhere]"
|
|||
|
+export superusers
|
|||
|
+
|
|||
|
+If "superusers" is not set to a unique name or is missing a name, this is a finding.</check-content></check></Rule></Group><Group id="V-244523"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244523r743818_rule" weight="10.0" severity="medium"><version>RHEL-08-010152</version><title>RHEL 8 operating systems must require authentication upon booting into emergency mode.</title><description><VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47755r743817_fix">Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file.
|
|||
|
+
|
|||
|
+ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</fixtext><fix id="F-47755r743817_fix" /><check system="C-47798r743816_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check to see if the system requires authentication for emergency mode with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service
|
|||
|
+
|
|||
|
+ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
|
|||
|
+
|
|||
|
+If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244524"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244524r743821_rule" weight="10.0" severity="medium"><version>RHEL-08-010159</version><title>The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|||
|
+
|
|||
|
+RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|||
|
+
|
|||
|
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-47756r743820_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|||
|
+
|
|||
|
+Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so:
|
|||
|
+
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-47756r743820_fix" /><check system="C-47799r743819_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that pam_unix.so module is configured to use sha512.
|
|||
|
+
|
|||
|
+Check that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep password /etc/pam.d/system-auth | grep pam_unix
|
|||
|
+
|
|||
|
+password sufficient pam_unix.so sha512 rounds=5000
|
|||
|
+
|
|||
|
+If "sha512" is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244525"><title>SRG-OS-000163-GPOS-00072</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244525r743824_rule" weight="10.0" severity="medium"><version>RHEL-08-010201</version><title>The RHEL 8 SSH daemon must be configured with a timeout interval.</title><description><VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
|
|||
|
+
|
|||
|
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
|
|||
|
+
|
|||
|
+RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-47757r743823_fix">Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.
|
|||
|
+
|
|||
|
+Modify or append the following lines in the "/etc/ssh/sshd_config" file:
|
|||
|
+
|
|||
|
+ClientAliveInterval 600
|
|||
|
+
|
|||
|
+In order for the changes to take effect, the SSH daemon must be restarted.
|
|||
|
+
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-47757r743823_fix" /><check system="C-47800r743822_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.
|
|||
|
+
|
|||
|
+Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command:
|
|||
|
+
|
|||
|
+$ sudo grep -i clientalive /etc/ssh/sshd_config
|
|||
|
+
|
|||
|
+ClientAliveInterval 600
|
|||
|
+ClientAliveCountMax 0
|
|||
|
+
|
|||
|
+If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244526"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244526r743827_rule" weight="10.0" severity="medium"><version>RHEL-08-010287</version><title>The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|||
|
+
|
|||
|
+Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
+
|
|||
|
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
|
|||
|
+
|
|||
|
+RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-47758r743826_fix">Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:
|
|||
|
+
|
|||
|
+# crypto_policy=
|
|||
|
+
|
|||
|
+A reboot is required for the changes to take effect.</fixtext><fix id="F-47758r743826_fix" /><check system="C-47801r743825_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that system-wide crypto policies are in effect:
|
|||
|
+
|
|||
|
+$ sudo grep -i crypto_policy /etc/sysconfig/sshd
|
|||
|
+
|
|||
|
+# crypto_policy=
|
|||
|
+
|
|||
|
+If the "crypto_policy" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-244527"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244527r743830_rule" weight="10.0" severity="low"><version>RHEL-08-010472</version><title>RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.</title><description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
|
|||
|
+
|
|||
|
+The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47759r743829_fix">Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum install rng-tools</fixtext><fix id="F-47759r743829_fix" /><check system="C-47802r743828_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum list installed rng-tools
|
|||
|
+
|
|||
|
+rng-tools.x86_64 6.8-3.el8 @anaconda
|
|||
|
+
|
|||
|
+If the "rng-tools" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244528"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244528r743833_rule" weight="10.0" severity="medium"><version>RHEL-08-010522</version><title>The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.</title><description><VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47760r743832_fix">Configure the SSH daemon to not allow GSSAPI authentication.
|
|||
|
+
|
|||
|
+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
|
|||
|
+
|
|||
|
+GSSAPIAuthentication no
|
|||
|
+
|
|||
|
+The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl restart sshd.service</fixtext><fix id="F-47760r743832_fix" /><check system="C-47803r743831_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not allow GSSAPI authentication with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
|
|||
|
+
|
|||
|
+GSSAPIAuthentication no
|
|||
|
+
|
|||
|
+If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-244529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244529r743836_rule" weight="10.0" severity="medium"><version>RHEL-08-010544</version><title>RHEL 8 must use a separate file system for /var/tmp.</title><description><VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47761r743835_fix">Migrate the "/var/tmp" path onto a separate file system.</fixtext><fix id="F-47761r743835_fix" /><check system="C-47804r743834_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var/tmp".
|
|||
|
+
|
|||
|
+Check that a file system/partition has been created for "/var/tmp" with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep /var/tmp /etc/fstab
|
|||
|
+
|
|||
|
+UUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2
|
|||
|
+
|
|||
|
+If a separate entry for "/var/tmp" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-244530"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244530r743839_rule" weight="10.0" severity="medium"><version>RHEL-08-010572</version><title>RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.</title><description><VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47762r743838_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.</fixtext><fix id="F-47762r743838_fix" /><check system="C-47805r743837_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|||
|
+
|
|||
|
+Verify the /boot/efi directory is mounted with the "nosuid" option with the following command:
|
|||
|
+
|
|||
|
+$ sudo mount | grep '\s/boot/efi\s'
|
|||
|
+
|
|||
|
+/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)
|
|||
|
+
|
|||
|
+If the /boot/efi file system does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-244531"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244531r743842_rule" weight="10.0" severity="medium"><version>RHEL-08-010731</version><title>All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.</title><description><VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47763r743841_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
|
|||
|
+
|
|||
|
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
|
|||
|
+
|
|||
|
+$ sudo chmod 0750 /home/smithj/<file or directory></fixtext><fix id="F-47763r743841_fix" /><check system="C-47806r743840_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".
|
|||
|
+Files that begin with a "." are excluded from this requirement.
|
|||
|
+
|
|||
|
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
|
|||
|
+
|
|||
|
+$ sudo ls -lLR /home/smithj
|
|||
|
+-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1
|
|||
|
+-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2
|
|||
|
+-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3
|
|||
|
+
|
|||
|
+If any files or directories are found with a mode more permissive than "0750", this is a finding.</check-content></check></Rule></Group><Group id="V-244532"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244532r743845_rule" weight="10.0" severity="medium"><version>RHEL-08-010741</version><title>RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description><VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47764r743844_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member. To change the group owner of a local interactive user's files and directories, use the following command:
|
|||
|
+
|
|||
|
+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
|
|||
|
+
|
|||
|
+$ sudo chgrp smithj /home/smithj/<file or directory></fixtext><fix id="F-47764r743844_fix" /><check system="C-47807r743843_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.
|
|||
|
+
|
|||
|
+Check the group owner of all files and directories in a local interactive user's home directory with the following command:
|
|||
|
+
|
|||
|
+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
|
|||
|
+
|
|||
|
+$ sudo ls -lLR /<home directory>/<users home directory>/
|
|||
|
+-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1
|
|||
|
+-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2
|
|||
|
+-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3
|
|||
|
+
|
|||
|
+If any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep smithj /etc/group
|
|||
|
+sa:x:100:juan,shelley,bob,smithj
|
|||
|
+smithj:x:521:smithj
|
|||
|
+
|
|||
|
+If any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.</check-content></check></Rule></Group><Group id="V-244533"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244533r743848_rule" weight="10.0" severity="medium"><version>RHEL-08-020025</version><title>RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
+
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
+
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
+The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-47765r743847_fix">Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
|
|||
|
+
|
|||
|
+Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" file to match the following lines:
|
|||
|
+Note: The "preauth" line must be listed before pam_unix.so.
|
|||
|
+
|
|||
|
+auth required pam_faillock.so preauth
|
|||
|
+auth required pam_faillock.so authfail
|
|||
|
+account required pam_faillock.so</fixtext><fix id="F-47765r743847_fix" /><check system="C-47808r743846_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+
|
|||
|
+Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:
|
|||
|
+
|
|||
|
+$ sudo grep pam_faillock.so /etc/pam.d/system-auth
|
|||
|
+
|
|||
|
+auth required pam_faillock.so preauth
|
|||
|
+auth required pam_faillock.so authfail
|
|||
|
+account required pam_faillock.so
|
|||
|
+If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.</check-content></check></Rule></Group><Group id="V-244534"><title>SRG-OS-000021-GPOS-00005</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244534r743851_rule" weight="10.0" severity="medium"><version>RHEL-08-020026</version><title>RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.</title><description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
|
|||
|
+
|
|||
|
+In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.
|
|||
|
+
|
|||
|
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.
|
|||
|
+The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-47766r743850_fix">Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
|
|||
|
+
|
|||
|
+Add/Modify the appropriate sections of the "/etc/pam.d/password-auth" file to match the following lines:
|
|||
|
+Note: The "preauth" line must be listed before pam_unix.so.
|
|||
|
+
|
|||
|
+auth required pam_faillock.so preauth
|
|||
|
+auth required pam_faillock.so authfail
|
|||
|
+account required pam_faillock.so</fixtext><fix id="F-47766r743850_fix" /><check system="C-47809r743849_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.
|
|||
|
+
|
|||
|
+Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:
|
|||
|
+
|
|||
|
+$ sudo grep pam_faillock.so /etc/pam.d/password-auth
|
|||
|
+
|
|||
|
+auth required pam_faillock.so preauth
|
|||
|
+auth required pam_faillock.so authfail
|
|||
|
+account required pam_faillock.so
|
|||
|
+
|
|||
|
+If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.</check-content></check></Rule></Group><Group id="V-244535"><title>SRG-OS-000029-GPOS-00010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244535r743854_rule" weight="10.0" severity="medium"><version>RHEL-08-020031</version><title>RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.</title><description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
|
|||
|
+
|
|||
|
+The session lock is implemented at the point where session activity can be determined and/or controlled.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-47767r743853_fix">Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.
|
|||
|
+
|
|||
|
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
|
|||
|
+
|
|||
|
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
|
|||
|
+
|
|||
|
+$ sudo touch /etc/dconf/db/local.d/00-screensaver
|
|||
|
+
|
|||
|
+[org/gnome/desktop/screensaver]
|
|||
|
+lock-delay=uint32 5
|
|||
|
+
|
|||
|
+The "uint32" must be included along with the integer key values as shown.
|
|||
|
+
|
|||
|
+Update the system databases:
|
|||
|
+
|
|||
|
+$ sudo dconf update</fixtext><fix id="F-47767r743853_fix" /><check system="C-47810r743852_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:
|
|||
|
+
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+$ sudo gsettings get org.gnome.desktop.screensaver lock-delay
|
|||
|
+
|
|||
|
+uint32 5
|
|||
|
+
|
|||
|
+If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-244536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244536r743857_rule" weight="10.0" severity="medium"><version>RHEL-08-020032</version><title>RHEL 8 must disable the user list at logon for graphical user interfaces.</title><description><VulnDiscussion>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47768r743856_fix">Configure the operating system to disable the user list at logon for graphical user interfaces.
|
|||
|
+
|
|||
|
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
|
|||
|
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
|
|||
|
+
|
|||
|
+$ sudo touch /etc/dconf/db/local.d/02-login-screen
|
|||
|
+
|
|||
|
+[org/gnome/login-screen]
|
|||
|
+disable-user-list=true
|
|||
|
+
|
|||
|
+Update the system databases:
|
|||
|
+$ sudo dconf update</fixtext><fix id="F-47768r743856_fix" /><check system="C-47811r743855_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system disables the user logon list for graphical user interfaces with the following command:
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+$ sudo gsettings get org.gnome.login-screen disable-user-list
|
|||
|
+true
|
|||
|
+
|
|||
|
+If the setting is "false", this is a finding.</check-content></check></Rule></Group><Group id="V-244537"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244537r743860_rule" weight="10.0" severity="medium"><version>RHEL-08-020039</version><title>RHEL 8 must have the tmux package installed.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|||
|
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
|||
|
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-47769r743859_fix">Configure the operating system to enable a user to initiate a session lock via tmux.
|
|||
|
+
|
|||
|
+Install the "tmux" package, if it is not already installed, by running the following command:
|
|||
|
+
|
|||
|
+$ sudo yum install tmux</fixtext><fix id="F-47769r743859_fix" /><check system="C-47812r743858_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 has the "tmux" package installed, by running the following command:
|
|||
|
+
|
|||
|
+$ sudo yum list installed tmux
|
|||
|
+
|
|||
|
+tmux.x86.64 2.7-1.el8 @repository
|
|||
|
+
|
|||
|
+If "tmux" is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244538"><title>SRG-OS-000029-GPOS-00010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244538r743863_rule" weight="10.0" severity="medium"><version>RHEL-08-020081</version><title>RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.</title><description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
|
|||
|
+
|
|||
|
+The session lock is implemented at the point where session activity can be determined and/or controlled.
|
|||
|
+
|
|||
|
+Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
|
|||
|
+
|
|||
|
+Locking these settings from non-privileged users is crucial to maintaining a protected baseline.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-47770r743862_fix">Configure the operating system to prevent a user from overriding settings for graphical user interfaces.
|
|||
|
+
|
|||
|
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
|
|||
|
+
|
|||
|
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
|
|||
|
+
|
|||
|
+$ sudo touch /etc/dconf/db/local.d/locks/session
|
|||
|
+
|
|||
|
+Add the following setting to prevent non-privileged users from modifying it:
|
|||
|
+
|
|||
|
+/org/gnome/desktop/session/idle-delay</fixtext><fix id="F-47770r743862_fix" /><check system="C-47813r743861_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding settings for graphical user interfaces.
|
|||
|
+
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Determine which profile the system database is using with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep system-db /etc/dconf/profile/user
|
|||
|
+
|
|||
|
+system-db:local
|
|||
|
+
|
|||
|
+Check that graphical settings are locked from non-privileged user modification with the following command:
|
|||
|
+
|
|||
|
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
|
|||
|
+
|
|||
|
+$ sudo grep -i idle /etc/dconf/db/local.d/locks/*
|
|||
|
+
|
|||
|
+/org/gnome/desktop/session/idle-delay
|
|||
|
+
|
|||
|
+If the command does not return at least the example result, this is a finding.</check-content></check></Rule></Group><Group id="V-244539"><title>SRG-OS-000029-GPOS-00010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244539r743866_rule" weight="10.0" severity="medium"><version>RHEL-08-020082</version><title>RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.</title><description><VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
|
|||
|
+
|
|||
|
+The session lock is implemented at the point where session activity can be determined and/or controlled.
|
|||
|
+
|
|||
|
+Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.
|
|||
|
+
|
|||
|
+Locking these settings from non-privileged users is crucial to maintaining a protected baseline.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-47771r743865_fix">Configure the operating system to prevent a user from overriding settings for graphical user interfaces.
|
|||
|
+
|
|||
|
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
|
|||
|
+
|
|||
|
+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
|
|||
|
+
|
|||
|
+$ sudo touch /etc/dconf/db/local.d/locks/session
|
|||
|
+
|
|||
|
+Add the following setting to prevent non-privileged users from modifying it:
|
|||
|
+
|
|||
|
+/org/gnome/desktop/screensaver/lock-enabled</fixtext><fix id="F-47771r743865_fix" /><check system="C-47814r743864_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding settings for graphical user interfaces.
|
|||
|
+
|
|||
|
+Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Determine which profile the system database is using with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep system-db /etc/dconf/profile/user
|
|||
|
+
|
|||
|
+system-db:local
|
|||
|
+
|
|||
|
+Check that graphical settings are locked from non-privileged user modification with the following command:
|
|||
|
+
|
|||
|
+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
|
|||
|
+
|
|||
|
+$ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*
|
|||
|
+
|
|||
|
+/org/gnome/desktop/screensaver/lock-enabled
|
|||
|
+
|
|||
|
+If the command does not return at least the example result, this is a finding.</check-content></check></Rule></Group><Group id="V-244540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244540r743869_rule" weight="10.0" severity="high"><version>RHEL-08-020331</version><title>RHEL 8 must not allow blank or null passwords in the system-auth file.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47772r743868_fix">Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords.
|
|||
|
+
|
|||
|
+Note: Manual changes to the listed file may be overwritten by the "authselect" program.</fixtext><fix id="F-47772r743868_fix" /><check system="C-47815r743867_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>To verify that null passwords cannot be used, run the following command:
|
|||
|
+
|
|||
|
+$ sudo grep -i nullok /etc/pam.d/system-auth
|
|||
|
+
|
|||
|
+If output is produced, this is a finding.</check-content></check></Rule></Group><Group id="V-244541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244541r743872_rule" weight="10.0" severity="high"><version>RHEL-08-020332</version><title>RHEL 8 must not allow blank or null passwords in the password-auth file.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47773r743871_fix">Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords.
|
|||
|
+
|
|||
|
+Note: Manual changes to the listed file may be overwritten by the "authselect" program.</fixtext><fix id="F-47773r743871_fix" /><check system="C-47816r743870_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>To verify that null passwords cannot be used, run the following command:
|
|||
|
+
|
|||
|
+$ sudo grep -i nullok /etc/pam.d/password-auth
|
|||
|
+
|
|||
|
+If output is produced, this is a finding.</check-content></check></Rule></Group><Group id="V-244542"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244542r743875_rule" weight="10.0" severity="medium"><version>RHEL-08-030181</version><title>RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.</title><description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
|
|||
|
+
|
|||
|
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
|
|||
|
+
|
|||
|
+Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-47774r743874_fix">Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands:
|
|||
|
+
|
|||
|
+$ sudo systemctl enable auditd.service
|
|||
|
+
|
|||
|
+$ sudo systemctl start auditd.service</fixtext><fix id="F-47774r743874_fix" /><check system="C-47817r743873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is configured to produce audit records with the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl status auditd.service.
|
|||
|
+
|
|||
|
+auditd.service - Security Auditing Service
|
|||
|
+Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
|
|||
|
+Active: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago
|
|||
|
+
|
|||
|
+If the audit service is not "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-244543"><title>SRG-OS-000343-GPOS-00134</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244543r743878_rule" weight="10.0" severity="medium"><version>RHEL-08-030731</version><title>RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.</title><description><VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-47775r743877_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.
|
|||
|
+
|
|||
|
+space_left_action = email
|
|||
|
+
|
|||
|
+Note: Option names and values in the auditd.conf file are case insensitive.</fixtext><fix id="F-47775r743877_fix" /><check system="C-47818r743876_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep -w space_left_action /etc/audit/auditd.conf
|
|||
|
+
|
|||
|
+space_left_action = email
|
|||
|
+
|
|||
|
+If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
|
|||
|
+
|
|||
|
+If there is no evidence that real-time alerts are configured on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-244544"><title>SRG-OS-000297-GPOS-00115</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244544r743881_rule" weight="10.0" severity="medium"><version>RHEL-08-040101</version><title>A firewall must be active on RHEL 8.</title><description><VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
|
|||
|
+
|
|||
|
+Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
|
|||
|
+
|
|||
|
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|||
|
+RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-47776r743880_fix">Configure "firewalld" to protect the operating system with the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl enable firewalld</fixtext><fix id="F-47776r743880_fix" /><check system="C-47819r743879_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "firewalld" is active with the following commands:
|
|||
|
+
|
|||
|
+$ sudo systemctl is-active firewalld
|
|||
|
+
|
|||
|
+active
|
|||
|
+
|
|||
|
+If the "firewalld" package is not "active", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.</check-content></check></Rule></Group><Group id="V-244545"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244545r743884_rule" weight="10.0" severity="medium"><version>RHEL-08-040136</version><title>The RHEL 8 fapolicy module must be enabled.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|||
|
+
|
|||
|
+Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
|
|||
|
+
|
|||
|
+User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.
|
|||
|
+
|
|||
|
+RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.
|
|||
|
+
|
|||
|
+Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-47777r743883_fix">Enable "fapolicyd" using the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl enable --now fapolicyd</fixtext><fix id="F-47777r743883_fix" /><check system="C-47820r743882_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" is enabled and running with the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl status fapolicyd.service
|
|||
|
+
|
|||
|
+fapolicyd.service - File Access Policy Daemon
|
|||
|
+Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
|
|||
|
+Active: active (running)
|
|||
|
+
|
|||
|
+If fapolicyd is not enabled and running, this is a finding.</check-content></check></Rule></Group><Group id="V-244546"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244546r743887_rule" weight="10.0" severity="medium"><version>RHEL-08-040137</version><title>The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|||
|
+
|
|||
|
+Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
|
|||
|
+
|
|||
|
+User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.
|
|||
|
+
|
|||
|
+RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.
|
|||
|
+
|
|||
|
+Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-47778r743886_fix">Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following command:
|
|||
|
+
|
|||
|
+Note: Running this command requires a root shell
|
|||
|
+
|
|||
|
+# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts
|
|||
|
+
|
|||
|
+With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line:
|
|||
|
+
|
|||
|
+permissive = 1
|
|||
|
+
|
|||
|
+Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
|
|||
|
+
|
|||
|
+Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
|
|||
|
+
|
|||
|
+permissive = 0</fixtext><fix id="F-47778r743886_fix" /><check system="C-47821r743885_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy.
|
|||
|
+
|
|||
|
+Check that "fapolicyd" is in enforcement mode with the following command:
|
|||
|
+
|
|||
|
+$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf
|
|||
|
+
|
|||
|
+permissive = 0
|
|||
|
+
|
|||
|
+Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
|
|||
|
+
|
|||
|
+$ sudo tail /etc/fapolicyd/fapolicyd.rules
|
|||
|
+
|
|||
|
+allow exe=/usr/bin/python3.7 : ftype=text/x-python
|
|||
|
+deny_audit perm=any pattern=ld_so : all
|
|||
|
+deny perm=any all : all
|
|||
|
+
|
|||
|
+$ sudo cat /etc/fapolicyd/fapolicyd.mounts
|
|||
|
+
|
|||
|
+/dev/shm
|
|||
|
+/run
|
|||
|
+/sys/fs/cgroup
|
|||
|
+/
|
|||
|
+/home
|
|||
|
+/boot
|
|||
|
+/run/user/42
|
|||
|
+/run/user/1000
|
|||
|
+
|
|||
|
+If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.</check-content></check></Rule></Group><Group id="V-244547"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244547r743890_rule" weight="10.0" severity="medium"><version>RHEL-08-040139</version><title>RHEL 8 must have the USBGuard installed.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|||
|
+Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
|
|||
|
+A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
|
|||
|
+
|
|||
|
+The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-47779r743889_fix">Install the USBGuard package with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum install usbguard.x86_64</fixtext><fix id="F-47779r743889_fix" /><check system="C-47822r743888_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify USBGuard is installed on the operating system with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum list installed usbguard
|
|||
|
+
|
|||
|
+Installed Packages
|
|||
|
+usbguard.x86_64 0.7.8-7.el8 @ol8_appstream
|
|||
|
+
|
|||
|
+If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked.
|
|||
|
+If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.</check-content></check></Rule></Group><Group id="V-244548"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244548r743893_rule" weight="10.0" severity="medium"><version>RHEL-08-040141</version><title>RHEL 8 must enable the USBGuard.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|||
|
+
|
|||
|
+Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
|
|||
|
+
|
|||
|
+A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
|
|||
|
+
|
|||
|
+The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-47780r743892_fix">Configure the operating system to enable the blocking of unauthorized peripherals with the following commands:
|
|||
|
+
|
|||
|
+$ sudo systemctl enable usbguard.service
|
|||
|
+
|
|||
|
+$ sudo systemctl start usbguard.service
|
|||
|
+
|
|||
|
+Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse</fixtext><fix id="F-47780r743892_fix" /><check system="C-47823r743891_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system has enabled the use of the USBGuard with the following command:
|
|||
|
+
|
|||
|
+$ sudo systemctl status usbguard.service
|
|||
|
+
|
|||
|
+usbguard.service - USBGuard daemon
|
|||
|
+Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)
|
|||
|
+Active: active (running)
|
|||
|
+
|
|||
|
+If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked.
|
|||
|
+If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.</check-content></check></Rule></Group><Group id="V-244549"><title>SRG-OS-000423-GPOS-00187</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244549r743896_rule" weight="10.0" severity="medium"><version>RHEL-08-040159</version><title>All RHEL 8 networked systems must have SSH installed.</title><description><VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
|
|||
|
+
|
|||
|
+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
|||
|
+
|
|||
|
+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
|
|||
|
+
|
|||
|
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-47781r743895_fix">Install SSH packages onto the host with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum install openssh-server.x86_64</fixtext><fix id="F-47781r743895_fix" /><check system="C-47824r743894_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify SSH is installed with the following command:
|
|||
|
+
|
|||
|
+$ sudo yum list installed openssh-server
|
|||
|
+
|
|||
|
+openssh-server.x86_64 8.0p1-5.el8 @anaconda
|
|||
|
+
|
|||
|
+If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r743899_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47782r743898_fix">Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
|
|||
|
+
|
|||
|
+If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
+
|
|||
|
+net.ipv4.conf.default.accept_redirects=0</fixtext><fix id="F-47782r743898_fix" /><check system="C-47825r743897_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv4 ICMP redirect messages.
|
|||
|
+
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Check the value of the default "accept_redirects" variables with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl net.ipv4.conf.default.accept_redirects
|
|||
|
+
|
|||
|
+net.ipv4.conf.default.accept_redirects = 0
|
|||
|
+
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r743902_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47783r743901_fix">Configure RHEL 8 to not forward IPv4 source-routed packets with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
|
|||
|
+
|
|||
|
+If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
+
|
|||
|
+net.ipv4.conf.all.accept_source_route=0</fixtext><fix id="F-47783r743901_fix" /><check system="C-47826r743900_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets.
|
|||
|
+
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Check the value of the accept source route variable with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl net.ipv4.conf.all.accept_source_route
|
|||
|
+
|
|||
|
+net.ipv4.conf.all.accept_source_route = 0
|
|||
|
+
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r743905_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47784r743904_fix">Configure RHEL 8 to not forward IPv4 source-routed packets by default with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|||
|
+
|
|||
|
+If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
+
|
|||
|
+net.ipv4.conf.default.accept_source_route=0</fixtext><fix id="F-47784r743904_fix" /><check system="C-47827r743903_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets by default.
|
|||
|
+
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Check the value of the accept source route variable with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl net.ipv4.conf.default.accept_source_route
|
|||
|
+
|
|||
|
+net.ipv4.conf.default.accept_source_route = 0
|
|||
|
+
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r743908_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47785r743907_fix">Configure RHEL 8 to ignore IPv4 ICMP redirect messages with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
|
|||
|
+
|
|||
|
+If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
|
|||
|
+
|
|||
|
+net.ipv4.conf.all.accept_redirects = 0</fixtext><fix id="F-47785r743907_fix" /><check system="C-47828r743906_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv4 ICMP redirect messages.
|
|||
|
+
|
|||
|
+Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
|||
|
+
|
|||
|
+Check the value of the "accept_redirects" variables with the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl net.ipv4.conf.all.accept_redirects
|
|||
|
+
|
|||
|
+net.ipv4.conf.all.accept_redirects = 0
|
|||
|
+
|
|||
|
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r743911_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|||
|
+Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47786r743910_fix">Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the "/etc/sysctl.d" directory:
|
|||
|
+
|
|||
|
+net.core.bpf_jit_harden = 2
|
|||
|
+
|
|||
|
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
|||
|
+
|
|||
|
+$ sudo sysctl --system</fixtext><fix id="F-47786r743910_fix" /><check system="C-47829r743909_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
|
|||
|
+
|
|||
|
+$ sudo sysctl net.core.bpf_jit_harden
|
|||
|
+
|
|||
|
+net.core.bpf_jit_harden = 2
|
|||
|
+
|
|||
|
+If the returned line does not have a value of "2", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
|||
|
+
|
|||
|
+Procedure:
|
|||
|
+Check that the following package has been installed:
|
|||
|
+
|
|||
|
+$ sudo rpm -qa | grep -i mcafeetp
|
|||
|
+
|
|||
|
+If the "mcafeetp" package is not installed, this is a finding.
|
|||
|
+
|
|||
|
+Verify that the daemon is running:
|
|||
|
+
|
|||
|
+$ sudo ps -ef | grep -i mfetpd
|
|||
|
+
|
|||
|
+If the daemon is not running, this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|||
|
\ No newline at end of file
|
|||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|||
|
index bffa509b698..1f355c246a0 100644
|
|||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|||
|
@@ -1,6 +1,6 @@
|
|||
|
description: 'This profile contains configuration checks that align to the
|
|||
|
|
|||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R2.
|
|||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R3.
|
|||
|
|
|||
|
|
|||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
|||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|||
|
index c84ac75c7bf..8bfe8363d0a 100644
|
|||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|||
|
@@ -1,6 +1,6 @@
|
|||
|
description: 'This profile contains configuration checks that align to the
|
|||
|
|
|||
|
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
|
|||
|
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
|
|||
|
|
|||
|
|
|||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|