6423 lines
924 KiB
Diff
6423 lines
924 KiB
Diff
|
From 2db5a10b6be510a8c702cd726667f44b5e360267 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 2 May 2022 10:20:36 +0200
|
||
|
Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R6
|
||
|
|
||
|
---
|
||
|
... => disa-stig-rhel8-v1r6-xccdf-manual.xml} | 401 ++++++++----------
|
||
|
1 file changed, 173 insertions(+), 228 deletions(-)
|
||
|
rename shared/references/{disa-stig-rhel8-v1r5-xccdf-manual.xml => disa-stig-rhel8-v1r6-xccdf-manual.xml} (94%)
|
||
|
|
||
|
diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml
|
||
|
similarity index 94%
|
||
|
rename from shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml
|
||
|
rename to shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml
|
||
|
index 216e91f92c6..849ab06f66d 100644
|
||
|
--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml
|
||
|
+++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml
|
||
|
@@ -1,4 +1,4 @@
|
||
|
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-12-03">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 5 Benchmark Date: 27 Jan 2022</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="
|
||
|
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2022-02-17">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 6 Benchmark Date: 27 Apr 2022</plain-text><plain-text id="generator">3.3.0.27375</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="
|
||
|
|
||
|
Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r743912_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
||
|
|
||
|
@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf
|
||
|
|
||
|
localpkg_gpgcheck =True
|
||
|
|
||
|
-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r792870_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r818816_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
|
||
|
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
|
||
|
|
||
|
@@ -859,16 +859,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-32910r792869_fix">Configure the operating system to disable kernel image loading.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-32910r818815_fix">Configure the operating system to disable kernel image loading.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.kexec_load_disabled = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32910r792869_fix" /><check system="C-32935r792868_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32910r818815_fix" /><check system="C-32935r818814_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
|
||
|
|
||
|
Check the status of the kernel.kexec_load_disabled kernel parameter.
|
||
|
|
||
|
@@ -880,13 +879,13 @@ If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a findi
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.kexec_load_disabled /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1
|
||
|
|
||
|
If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r792873_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r818819_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
|
||
|
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
|
||
|
|
||
|
@@ -900,17 +899,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/lib/sysctl.d/*.conf
|
||
|
/etc/sysctl.conf
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.
|
||
|
-
|
||
|
-Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-32911r792872_fix">Configure the operating system to enable DAC on symlinks.
|
||
|
+Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-32911r818818_fix">Configure the operating system to enable DAC on symlinks.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
fs.protected_symlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32911r792872_fix" /><check system="C-32936r792871_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32911r818818_fix" /><check system="C-32936r818817_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
|
||
|
|
||
|
Check the status of the fs.protected_symlinks kernel parameter.
|
||
|
|
||
|
@@ -922,13 +919,13 @@ If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r fs.protected_symlinks /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1
|
||
|
|
||
|
If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r792876_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r818822_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
|
||
|
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
|
||
|
|
||
|
@@ -942,17 +939,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/lib/sysctl.d/*.conf
|
||
|
/etc/sysctl.conf
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.
|
||
|
-
|
||
|
-Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-32912r792875_fix">Configure the operating system to enable DAC on hardlinks.
|
||
|
+Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-32912r818821_fix">Configure the operating system to enable DAC on hardlinks.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
fs.protected_hardlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32912r792875_fix" /><check system="C-32937r792874_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32912r818821_fix" /><check system="C-32937r818820_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
|
||
|
|
||
|
Check the status of the fs.protected_hardlinks kernel parameter.
|
||
|
|
||
|
@@ -964,13 +959,13 @@ If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r fs.protected_hardlinks /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1
|
||
|
|
||
|
If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r792879_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r818825_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
|
||
|
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
|
||
|
|
||
|
@@ -984,17 +979,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001090</ident><fixtext fixref="F-32913r792878_fix">Configure the operating system to restrict access to the kernel message buffer.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001090</ident><fixtext fixref="F-32913r818824_fix">Configure the operating system to restrict access to the kernel message buffer.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.dmesg_restrict = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32913r792878_fix" /><check system="C-32938r792877_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32913r818824_fix" /><check system="C-32938r818823_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
|
||
|
|
||
|
Check the status of the kernel.dmesg_restrict kernel parameter.
|
||
|
|
||
|
@@ -1006,13 +999,13 @@ If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.dmesg_restrict /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1
|
||
|
|
||
|
If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r792882_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r818828_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
|
||
|
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
|
||
|
|
||
|
@@ -1026,17 +1019,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001090</ident><fixtext fixref="F-32914r792881_fix">Configure the operating system to prevent kernel profiling by unprivileged users.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001090</ident><fixtext fixref="F-32914r818827_fix">Configure the operating system to prevent kernel profiling by unprivileged users.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.perf_event_paranoid = 2
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32914r792881_fix" /><check system="C-32939r792880_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32914r818827_fix" /><check system="C-32939r818826_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
|
||
|
|
||
|
Check the status of the kernel.perf_event_paranoid kernel parameter.
|
||
|
|
||
|
@@ -1048,13 +1039,13 @@ If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a findi
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.perf_event_paranoid /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2
|
||
|
|
||
|
If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
|
||
|
When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
|
||
|
|
||
|
@@ -1231,7 +1222,7 @@ $ sudo grep slub_debug /etc/default/grub
|
||
|
|
||
|
GRUB_CMDLINE_LINUX="slub_debug=P"
|
||
|
|
||
|
-If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r792891_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
+If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r818831_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
|
||
|
Examples of attacks are buffer overflow attacks.
|
||
|
|
||
|
@@ -1241,17 +1232,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002824</ident><fixtext fixref="F-32924r818830_fix">Configure the operating system to implement virtual address space randomization.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002824</ident><fixtext fixref="F-32924r792890_fix">Configure the operating system to implement virtual address space randomization.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.randomize_va_space=2
|
||
|
|
||
|
Issue the following command to make the changes take effect:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32924r792890_fix" /><check system="C-32949r792889_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32924r818830_fix" /><check system="C-32949r818829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
|
||
|
|
||
|
$ sudo sysctl kernel.randomize_va_space
|
||
|
|
||
|
@@ -1261,13 +1250,13 @@ If "kernel.randomize_va_space" is not set to "2", this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.randomize_va_space /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2
|
||
|
|
||
|
If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
|
||
|
|
||
|
Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file:
|
||
|
|
||
|
@@ -1601,7 +1590,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS)
|
||
|
|
||
|
If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
|
||
|
|
||
|
-If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r792894_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r818834_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -1609,17 +1598,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32955r818833_fix">Configure RHEL 8 to disable storing core dumps.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32955r792893_fix">Configure RHEL 8 to disable storing core dumps.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.core_pattern = |/bin/false
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32955r792893_fix" /><check system="C-32980r792892_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables storing core dumps with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32955r818833_fix" /><check system="C-32980r818832_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables storing core dumps with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.core_pattern
|
||
|
|
||
|
@@ -1629,13 +1616,13 @@ If the returned line does not have a value of "|/bin/false", or a line is not re
|
||
|
|
||
|
Check that the configuration files are present to enable this kernel parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.core_pattern /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false
|
||
|
|
||
|
If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
|
||
|
|
||
|
@@ -2506,18 +2493,18 @@ $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*
|
||
|
|
||
|
/org/gnome/desktop/screensaver/lock-delay
|
||
|
|
||
|
-If the command does not return at least the example result, this is a finding.</check-content></check></Rule></Group><Group id="V-230355"><title>SRG-OS-000068-GPOS-00036</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230355r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020090</version><title>RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.</title><description><VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
|
||
|
+If the command does not return at least the example result, this is a finding.</check-content></check></Rule></Group><Group id="V-230355"><title>SRG-OS-000068-GPOS-00036</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230355r818836_rule" weight="10.0" severity="medium"><version>RHEL-08-020090</version><title>RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.</title><description><VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
|
||
|
|
||
|
-There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000187</ident><fixtext fixref="F-32999r567812_fix">Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example:
|
||
|
+There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000187</ident><fixtext fixref="F-32999r818835_fix">Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example:
|
||
|
|
||
|
[certmap/testing.test/rule_name]
|
||
|
matchrule =<SAN>.*EDIPI@mil
|
||
|
maprule = (userCertificate;binary={cert!bin})
|
||
|
-dmains = testing.test
|
||
|
+domains = testing.test
|
||
|
|
||
|
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
|
||
|
|
||
|
-$ sudo systemctl restart sssd.service</fixtext><fix id="F-32999r567812_fix" /><check system="C-33024r567811_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:
|
||
|
+$ sudo systemctl restart sssd.service</fixtext><fix id="F-32999r818835_fix" /><check system="C-33024r567811_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:
|
||
|
|
||
|
$ sudo cat /etc/sssd/sssd.conf
|
||
|
|
||
|
@@ -4429,31 +4416,31 @@ overflow_action = syslog
|
||
|
|
||
|
If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
|
||
|
|
||
|
-If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.</check-content></check></Rule></Group><Group id="V-230481"><title>SRG-OS-000342-GPOS-00133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230481r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030710</version><title>RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
||
|
-
|
||
|
-Off-loading is a common process in information systems with limited audit storage capacity.
|
||
|
-
|
||
|
-RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
|
||
|
-
|
||
|
+If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.</check-content></check></Rule></Group><Group id="V-230481"><title>SRG-OS-000342-GPOS-00133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230481r818840_rule" weight="10.0" severity="medium"><version>RHEL-08-030710</version><title>RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
||
|
+
|
||
|
+Off-loading is a common process in information systems with limited audit storage capacity.
|
||
|
+
|
||
|
+RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
|
||
|
+
|
||
|
Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-33125r568190_fix">Configure the operating system to encrypt off-loaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf":
|
||
|
|
||
|
$DefaultNetstreamDriver gtls
|
||
|
-$ActionSendStreamDriverMode 1</fixtext><fix id="F-33125r568190_fix" /><check system="C-33150r619873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:
|
||
|
-
|
||
|
-$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
||
|
-
|
||
|
-/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
|
||
|
-
|
||
|
-If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding.
|
||
|
-
|
||
|
-$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
||
|
-
|
||
|
-/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
|
||
|
-
|
||
|
-If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding.
|
||
|
-
|
||
|
-If either of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
|
||
|
-
|
||
|
+$ActionSendStreamDriverMode 1</fixtext><fix id="F-33125r568190_fix" /><check system="C-33150r818839_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands:
|
||
|
+
|
||
|
+$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
||
|
+
|
||
|
+/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
|
||
|
+
|
||
|
+If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding.
|
||
|
+
|
||
|
+$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
||
|
+
|
||
|
+/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
|
||
|
+
|
||
|
+If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding.
|
||
|
+
|
||
|
+If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
|
||
|
+
|
||
|
If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-230482"><title>SRG-OS-000342-GPOS-00133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230482r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030720</version><title>RHEL 8 must authenticate the remote logging server for off-loading audit logs.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
|
||
|
|
||
|
Off-loading is a common process in information systems with limited audit storage capacity.
|
||
|
@@ -4585,7 +4572,7 @@ $ sudo yum remove sendmail</fixtext><fix id="F-33133r568214_fix" /><check system
|
||
|
|
||
|
$ sudo yum list installed sendmail
|
||
|
|
||
|
-If the sendmail package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230491"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230491r792908_rule" weight="10.0" severity="low"><version>RHEL-08-040004</version><title>RHEL 8 must enable mitigations against processor-based vulnerabilities.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If the sendmail package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230491"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230491r818842_rule" weight="10.0" severity="low"><version>RHEL-08-040004</version><title>RHEL 8 must enable mitigations against processor-based vulnerabilities.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
|
||
|
|
||
|
@@ -4599,7 +4586,7 @@ $ sudo grubby --update-kernel=ALL --args="pti=on"
|
||
|
|
||
|
Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
|
||
|
|
||
|
-GRUB_CMDLINE_LINUX="pti=on"</fixtext><fix id="F-33135r568220_fix" /><check system="C-33160r792907_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables kernel page-table isolation with the following commands:
|
||
|
+GRUB_CMDLINE_LINUX="pti=on"</fixtext><fix id="F-33135r568220_fix" /><check system="C-33160r818841_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables kernel page-table isolation with the following commands:
|
||
|
|
||
|
$ sudo grub2-editenv list | grep pti
|
||
|
|
||
|
@@ -4609,7 +4596,7 @@ If the "pti" entry does not equal "on", is missing, or the line is commented out
|
||
|
|
||
|
Check that kernel page-table isolation is enabled by default to persist in kernel updates:
|
||
|
|
||
|
-$ sudo grep audit /etc/default/grub
|
||
|
+$ sudo grep pti /etc/default/grub
|
||
|
|
||
|
GRUB_CMDLINE_LINUX="pti=on"
|
||
|
|
||
|
@@ -5451,7 +5438,7 @@ If the account is associated with system commands or applications, the UID shoul
|
||
|
|
||
|
$ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd
|
||
|
|
||
|
-If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r792936_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r818848_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5459,17 +5446,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33179r818847_fix">Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33179r792935_fix">Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33179r792935_fix" /><check system="C-33204r792934_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv6 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33179r818847_fix" /><check system="C-33204r818846_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv6 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5483,13 +5468,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r792939_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r818851_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
|
||
|
@@ -5499,17 +5484,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33180r818850_fix">Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33180r792938_fix">Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.all.send_redirects=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33180r792938_fix" /><check system="C-33205r792937_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33180r818850_fix" /><check system="C-33205r818849_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5523,13 +5506,13 @@ If the returned line does not have a value of "0", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0
|
||
|
|
||
|
If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r792942_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r818854_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
@@ -5538,17 +5521,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33181r792941_fix">Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33181r818853_fix">Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33181r792941_fix" /><check system="C-33206r792940_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33181r818853_fix" /><check system="C-33206r818852_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5562,13 +5543,13 @@ If the returned line does not have a value of "1", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||
|
|
||
|
If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r792945_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r818860_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5576,17 +5557,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33182r792944_fix">Configure RHEL 8 to not forward IPv6 source-routed packets.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33182r818859_fix">Configure RHEL 8 to not forward IPv6 source-routed packets.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33182r792944_fix" /><check system="C-33207r792943_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33182r818859_fix" /><check system="C-33207r818858_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5600,13 +5579,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r792948_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r818866_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5614,17 +5593,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33183r792947_fix">Configure RHEL 8 to not forward IPv6 source-routed packets by default.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33183r818865_fix">Configure RHEL 8 to not forward IPv6 source-routed packets by default.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33183r792947_fix" /><check system="C-33208r792946_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets by default.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33183r818865_fix" /><check system="C-33208r818864_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets by default.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5638,13 +5615,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.default.accept_source_route /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r792951_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r818872_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5652,17 +5629,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33184r818871_fix">Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33184r792950_fix">Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.forwarding=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33184r792950_fix" /><check system="C-33209r792949_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33184r818871_fix" /><check system="C-33209r818870_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5676,13 +5651,13 @@ If the IPv6 forwarding value is not "0" and is not documented with the Informati
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.all.forwarding /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0
|
||
|
|
||
|
If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r792954_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r818875_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
An illicit router advertisement message could result in a man-in-the-middle attack.
|
||
|
|
||
|
@@ -5692,17 +5667,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33185r818874_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33185r792953_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33185r792953_fix" /><check system="C-33210r792952_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33185r818874_fix" /><check system="C-33210r818873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is not applicable.
|
||
|
|
||
|
@@ -5716,13 +5689,13 @@ If the "accept_ra" value is not "0" and is not documented with the Information S
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.all.accept_ra /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r792957_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r818878_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
An illicit router advertisement message could result in a man-in-the-middle attack.
|
||
|
|
||
|
@@ -5732,17 +5705,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33186r792956_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33186r818877_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33186r792956_fix" /><check system="C-33211r792955_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33186r818877_fix" /><check system="C-33211r818876_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is not applicable.
|
||
|
|
||
|
@@ -5756,13 +5727,13 @@ If the "accept_ra" value is not "0" and is not documented with the Information S
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.default.accept_ra /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r792960_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r818881_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
|
||
|
@@ -5772,17 +5743,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33187r792959_fix">Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33187r818880_fix">Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.default.send_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33187r792959_fix" /><check system="C-33212r792958_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33187r818880_fix" /><check system="C-33212r818879_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5796,13 +5765,13 @@ If the returned line does not have a value of "0", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0
|
||
|
|
||
|
If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r792963_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r818887_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5810,17 +5779,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33188r792962_fix">Configure RHEL 8 to ignore IPv6 ICMP redirect messages.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33188r818886_fix">Configure RHEL 8 to ignore IPv6 ICMP redirect messages.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33188r792962_fix" /><check system="C-33213r792961_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv6 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33188r818886_fix" /><check system="C-33213r818885_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv6 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5834,13 +5801,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv6.conf.all.accept_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r792966_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r818890_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5848,15 +5815,13 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r792965_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r818889_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.unprivileged_bpf_disabled = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33189r792965_fix" /><check system="C-33214r792964_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33189r818889_fix" /><check system="C-33214r818888_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.unprivileged_bpf_disabled
|
||
|
|
||
|
@@ -5866,13 +5831,13 @@ If the returned line does not have a value of "1", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.unprivileged_bpf_disabled /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1
|
||
|
|
||
|
If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r792969_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r818893_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5880,15 +5845,13 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33190r792968_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33190r818892_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.yama.ptrace_scope = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33190r792968_fix" /><check system="C-33215r792967_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33190r818892_fix" /><check system="C-33215r818891_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.yama.ptrace_scope
|
||
|
|
||
|
@@ -5898,13 +5861,13 @@ If the returned line does not have a value of "1", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.yama.ptrace_scope /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1
|
||
|
|
||
|
If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r792972_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r818896_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5912,15 +5875,13 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33191r792971_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33191r818895_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.kptr_restrict = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33191r792971_fix" /><check system="C-33216r792970_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33191r818895_fix" /><check system="C-33216r818894_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.kptr_restrict
|
||
|
|
||
|
@@ -5930,13 +5891,13 @@ If the returned line does not have a value of "1", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r kernel.kptr_restrict /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1
|
||
|
|
||
|
If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r792975_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r818899_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5944,9 +5905,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33192r792974_fix">Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33192r818898_fix">Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
|
||
|
|
||
|
@@ -5954,7 +5913,7 @@ user.max_user_namespaces = 0
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33192r792974_fix" /><check system="C-33217r792973_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33192r818898_fix" /><check system="C-33217r818897_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
|
||
|
|
||
|
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
|
||
|
|
||
|
@@ -5966,13 +5925,13 @@ If the returned line does not have a value of "0", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r user.max_user_namespaces /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0
|
||
|
|
||
|
If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r792978_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r818902_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5980,15 +5939,13 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33193r792977_fix">Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33193r818901_fix">Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33193r792977_fix" /><check system="C-33218r792976_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33193r818901_fix" /><check system="C-33218r818900_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
|
||
|
|
||
|
$ sudo sysctl net.ipv4.conf.all.rp_filter
|
||
|
|
||
|
@@ -5998,13 +5955,13 @@ If the returned line does not have a value of "1", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
|
||
|
|
||
|
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-33194r568397_fix" /><check system="C-33219r568396_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
|
||
|
|
||
|
@@ -6630,7 +6587,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
|
||
|
|
||
|
$ sudo grep -i nullok /etc/pam.d/password-auth
|
||
|
|
||
|
-If output is produced, this is a finding.</check-content></check></Rule></Group><Group id="V-244542"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244542r743875_rule" weight="10.0" severity="medium"><version>RHEL-08-030181</version><title>RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.</title><description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
|
||
|
+If output is produced, this is a finding.</check-content></check></Rule></Group><Group id="V-244542"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244542r818838_rule" weight="10.0" severity="medium"><version>RHEL-08-030181</version><title>RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.</title><description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
|
||
|
|
||
|
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
|
||
|
|
||
|
@@ -6640,9 +6597,9 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
|
||
|
|
||
|
$ sudo systemctl enable auditd.service
|
||
|
|
||
|
-$ sudo systemctl start auditd.service</fixtext><fix id="F-47774r743874_fix" /><check system="C-47817r743873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is configured to produce audit records with the following command:
|
||
|
+$ sudo systemctl start auditd.service</fixtext><fix id="F-47774r743874_fix" /><check system="C-47817r818837_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is configured to produce audit records with the following command:
|
||
|
|
||
|
-$ sudo systemctl status auditd.service.
|
||
|
+$ sudo systemctl status auditd.service
|
||
|
|
||
|
auditd.service - Security Auditing Service
|
||
|
Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
|
||
|
@@ -6778,7 +6735,7 @@ $ sudo yum list installed openssh-server
|
||
|
|
||
|
openssh-server.x86_64 8.0p1-5.el8 @anaconda
|
||
|
|
||
|
-If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r792987_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r818845_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6786,17 +6743,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47782r818844_fix">Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47782r792986_fix">Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.default.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47782r792986_fix" /><check system="C-47825r792985_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv4 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47782r818844_fix" /><check system="C-47825r818843_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv4 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -6810,13 +6765,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0
|
||
|
|
||
|
If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r792990_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r818857_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6824,17 +6779,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47783r818856_fix">Configure RHEL 8 to not forward IPv4 source-routed packets.
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47783r792989_fix">Configure RHEL 8 to not forward IPv4 source-routed packets.
|
||
|
-
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.all.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47783r792989_fix" /><check system="C-47826r792988_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47783r818856_fix" /><check system="C-47826r818855_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -6848,13 +6801,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0
|
||
|
|
||
|
If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r792993_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r818863_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6862,17 +6815,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47784r792992_fix">Configure RHEL 8 to not forward IPv4 source-routed packets by default.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47784r818862_fix">Configure RHEL 8 to not forward IPv4 source-routed packets by default.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.default.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47784r792992_fix" /><check system="C-47827r792991_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets by default.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47784r818862_fix" /><check system="C-47827r818861_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets by default.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -6886,13 +6837,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0
|
||
|
|
||
|
If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r792996_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r818884_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6900,17 +6851,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47785r792995_fix">Configure RHEL 8 to ignore IPv4 ICMP redirect messages.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47785r818883_fix">Configure RHEL 8 to ignore IPv4 ICMP redirect messages.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.all.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47785r792995_fix" /><check system="C-47828r792994_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv4 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47785r818883_fix" /><check system="C-47828r818882_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv4 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -6924,13 +6873,13 @@ If the returned line does not have a value of "0", a line is not returned, or th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0
|
||
|
|
||
|
If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r792999_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r818905_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
|
||
|
|
||
|
@@ -6940,15 +6889,13 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47786r792998_fix">Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47786r818904_fix">Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
net.core.bpf_jit_harden = 2
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47786r792998_fix" /><check system="C-47829r792997_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47786r818904_fix" /><check system="C-47829r818903_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
|
||
|
|
||
|
$ sudo sysctl net.core.bpf_jit_harden
|
||
|
|
||
|
@@ -6958,13 +6905,13 @@ If the returned line does not have a value of "2", or a line is not returned, th
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.core.bpf_jit_harden /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2
|
||
|
|
||
|
If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
||
|
|
||
|
Procedure:
|
||
|
Check that the following package has been installed:
|
||
|
@@ -7038,7 +6985,7 @@ $ sudo ls -Zd /var/log/faillock
|
||
|
|
||
|
unconfined_u:object_r:faillog_t:s0 /var/log/faillock
|
||
|
|
||
|
-If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r793008_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r818869_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -7046,17 +6993,15 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-53705r793007_fix">Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-53705r818868_fix">Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.all.forwarding=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-53705r793007_fix" /><check system="C-53751r793006_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-53705r818868_fix" /><check system="C-53751r818867_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
|
||
|
|
||
|
Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -7069,13 +7014,13 @@ If the IPv4 forwarding value is not "0" and is not documented with the Informati
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
-$ sudo grep -r net.ipv4.conf.all.forwarding /etc/sysctl.d/*.conf
|
||
|
+$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0
|
||
|
|
||
|
If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
||
|
+If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
||
|
|
||
|
Perform a password reset:
|
||
|
$ sudo passwd [username]
|
||
|
|
||
|
From b1e14f5035a539b0539d417606232a42ad194a9d Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 2 May 2022 10:24:54 +0200
|
||
|
Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R5
|
||
|
|
||
|
The V1R5 SCAP content is aligned with the V1R6 manual benchmark.
|
||
|
---
|
||
|
...ml => disa-stig-rhel8-v1r5-xccdf-scap.xml} | 2050 +++++++++++------
|
||
|
1 file changed, 1294 insertions(+), 756 deletions(-)
|
||
|
rename shared/references/{disa-stig-rhel8-v1r4-xccdf-scap.xml => disa-stig-rhel8-v1r5-xccdf-scap.xml} (92%)
|
||
|
|
||
|
diff --git a/shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
|
||
|
similarity index 92%
|
||
|
rename from shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml
|
||
|
rename to shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
|
||
|
index 24c8f3e51a8..1bd2fb7b659 100644
|
||
|
--- a/shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml
|
||
|
+++ b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
|
||
|
@@ -1,36 +1,36 @@
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
-<data-stream-collection xmlns="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_mil.disa.stig_collection_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark" schematron-version="1.2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd http://cpe.mitre.org/dictionary/2.0 http://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/unix-definitions-schema.xsd http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2.xsd">
|
||
|
- <data-stream id="scap_mil.disa.stig_datastream_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark" use-case="CONFIGURATION" scap-version="1.2" timestamp="2022-01-03T11:44:34">
|
||
|
+<data-stream-collection xmlns="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_mil.disa.stig_collection_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark" schematron-version="1.2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd http://cpe.mitre.org/dictionary/2.0 http://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/unix-definitions-schema.xsd http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2.xsd">
|
||
|
+ <data-stream id="scap_mil.disa.stig_datastream_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark" use-case="CONFIGURATION" scap-version="1.2" timestamp="2022-03-28T12:45:13">
|
||
|
<dictionaries>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml">
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml">
|
||
|
<cat:catalog xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog">
|
||
|
- <cat:uri name="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
+ <cat:uri name="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
</cat:catalog>
|
||
|
</component-ref>
|
||
|
</dictionaries>
|
||
|
<checklists>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-xccdf.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-xccdf.xml">
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml">
|
||
|
<cat:catalog xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog">
|
||
|
- <cat:uri name="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <cat:uri name="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</cat:catalog>
|
||
|
</component-ref>
|
||
|
</checklists>
|
||
|
<checks>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
</checks>
|
||
|
</data-stream>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" timestamp="2022-01-03T11:44:34">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" timestamp="2022-03-28T12:45:13">
|
||
|
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0">
|
||
|
<cpe-item name="cpe:/o:redhat:enterprise_linux:8">
|
||
|
<title xml:lang="en-us">Red Hat Enterprise Linux 8</title>
|
||
|
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml">oval:mil.disa.stig.rhel8:def:1</check>
|
||
|
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml">oval:mil.disa.stig.rhel8:def:1</check>
|
||
|
</cpe-item>
|
||
|
</cpe-list>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-xccdf.xml" timestamp="2022-01-03T11:44:34">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml" timestamp="2022-03-28T12:45:13">
|
||
|
<xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xhtml="http://www.w3.org/1999/xhtml" id="xccdf_mil.disa.stig_benchmark_RHEL_8_STIG" xml:lang="en" style="SCAP_1.2">
|
||
|
- <xccdf:status date="2021-12-03">accepted</xccdf:status>
|
||
|
+ <xccdf:status date="2022-02-17">accepted</xccdf:status>
|
||
|
<xccdf:title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</xccdf:title>
|
||
|
<xccdf:description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</xccdf:description>
|
||
|
<xccdf:notice id="terms-of-use" xml:lang="en" />
|
||
|
@@ -40,11 +40,11 @@
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
<dc:source>STIG.DOD.MIL</dc:source>
|
||
|
</xccdf:reference>
|
||
|
- <xccdf:plain-text id="release-info">Release: 1.4 Benchmark Date: 27 Jan 2022</xccdf:plain-text>
|
||
|
- <xccdf:plain-text id="generator">3.2.2.36079</xccdf:plain-text>
|
||
|
+ <xccdf:plain-text id="release-info">Release: 1.5 Benchmark Date: 27 Apr 2022</xccdf:plain-text>
|
||
|
+ <xccdf:plain-text id="generator">3.3.0.27375</xccdf:plain-text>
|
||
|
<xccdf:plain-text id="conventionsVersion">1.10.0</xccdf:plain-text>
|
||
|
<xccdf:platform idref="cpe:/o:redhat:enterprise_linux:8" />
|
||
|
- <xccdf:version update="http://iase.disa.mil/stigs">001.004</xccdf:version>
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">001.005</xccdf:version>
|
||
|
<xccdf:metadata>
|
||
|
<dc:creator>DISA</dc:creator>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -88,6 +88,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -280,6 +281,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-1_Public">
|
||
|
<xccdf:title>I - Mission Critical Public</xccdf:title>
|
||
|
@@ -318,6 +323,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -510,6 +516,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-1_Sensitive">
|
||
|
<xccdf:title>I - Mission Critical Sensitive</xccdf:title>
|
||
|
@@ -548,6 +558,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -740,6 +751,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-2_Classified">
|
||
|
<xccdf:title>II - Mission Support Classified</xccdf:title>
|
||
|
@@ -778,6 +793,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -970,6 +986,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-2_Public">
|
||
|
<xccdf:title>II - Mission Support Public</xccdf:title>
|
||
|
@@ -1008,6 +1028,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -1200,6 +1221,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-2_Sensitive">
|
||
|
<xccdf:title>II - Mission Support Sensitive</xccdf:title>
|
||
|
@@ -1238,6 +1263,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -1430,6 +1456,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-3_Classified">
|
||
|
<xccdf:title>III - Administrative Classified</xccdf:title>
|
||
|
@@ -1468,6 +1498,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -1660,6 +1691,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-3_Public">
|
||
|
<xccdf:title>III - Administrative Public</xccdf:title>
|
||
|
@@ -1698,6 +1733,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -1890,6 +1926,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_MAC-3_Sensitive">
|
||
|
<xccdf:title>III - Administrative Sensitive</xccdf:title>
|
||
|
@@ -1928,6 +1968,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230271" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230272" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230273" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-230280" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230281" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230282" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-230283" selected="true" />
|
||
|
@@ -2120,6 +2161,10 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237641" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237642" selected="true" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_group_V-237643" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244540" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244541" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-244554" selected="true" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_group_V-251706" selected="true" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Profile id="xccdf_mil.disa.stig_profile_CAT_I_Only">
|
||
|
<xccdf:title>CAT I Only</xccdf:title>
|
||
|
@@ -2144,14 +2189,15 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230257r792862_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230258r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230259r792864_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230266r792870_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230267r792873_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230268r792876_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230269r792879_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230270r792882_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230266r818816_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230267r818819_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230268r818822_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230269r818825_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230270r818828_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230271r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230272r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230273r743943_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230280r818831_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230281r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230282r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230286r627750_rule" selected="false" />
|
||
|
@@ -2171,7 +2217,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230306r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230307r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230308r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230311r792894_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230311r818834_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230313r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230314r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230315r627750_rule" selected="false" />
|
||
|
@@ -2309,21 +2355,21 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230522r792933_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230526r744032_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230527r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230535r792936_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230536r792939_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230537r792942_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230538r792945_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230539r792948_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230540r792951_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230541r792954_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230542r792957_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230543r792960_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230544r792963_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230545r792966_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230546r792969_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230547r792972_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230548r792975_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230549r792978_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230535r818848_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230536r818851_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230537r818854_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230538r818860_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230539r818866_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230540r818872_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230541r818875_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230542r818878_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230543r818881_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230544r818887_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230545r818890_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230546r818893_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230547r818896_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230548r818899_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230549r818902_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230550r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230555r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230556r627750_rule" selected="false" />
|
||
|
@@ -2335,6 +2381,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237641r646893_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237642r809326_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237643r809328_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-244554r818905_rule" selected="false" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230221">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
@@ -2356,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L
|
||
|
<xccdf:fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32865r567410_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:100" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:100" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2392,7 +2439,7 @@ $ sudo fips-mode-setup --enable
|
||
|
Reboot the system for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32867r567416_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:101" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:101" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2422,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M
|
||
|
ENCRYPT_METHOD SHA512</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32875r567440_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:103" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:103" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2446,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth
|
||
|
<xccdf:fixtext fixref="F-32876r567443_fix">Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32876r567443_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:104" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:104" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2474,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_
|
||
|
SHA_CRYPT_MIN_ROUNDS 5000</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32877r809272_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:105" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:105" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2502,7 +2549,7 @@ Enter password:
|
||
|
Confirm password:</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32878r743921_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:106" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:106" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2530,7 +2577,7 @@ Enter password:
|
||
|
Confirm password:</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32879r743924_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:107" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:107" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2554,7 +2601,7 @@ Confirm password:</xccdf:fixtext>
|
||
|
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32880r743927_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:108" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:108" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2584,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include
|
||
|
password sufficient pam_unix.so sha512</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32881r809275_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:109" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:109" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2614,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
Remove any files with the .keytab extension from the operating system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32882r567461_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:110" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:110" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2644,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
$ sudo yum remove krb5-workstation</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32883r567464_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:111" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:111" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2670,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o
|
||
|
$ sudo yum install policycoreutils</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32885r567470_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:112" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:112" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2706,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted.
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32888r743933_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:115" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:115" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2732,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chmod 0640 /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32889r567482_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:116" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:116" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2758,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chown root /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32890r567485_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:117" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:117" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2784,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chgrp root /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32891r567488_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:118" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:118" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2810,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chmod 0755 /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32892r567491_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:119" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:119" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2836,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chown root /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32893r567494_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:120" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:120" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2862,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chgrp root /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32894r567497_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:121" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:121" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2892,7 +2939,7 @@ SSH_USE_STRONG_RNG=32
|
||
|
The SSH service must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32897r567506_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:122" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:122" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2930,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2
|
||
|
A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32899r809381_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:123" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:123" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2958,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod
|
||
|
$ sudo chmod 755 [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32901r792861_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:124" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:124" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2986,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o
|
||
|
$ sudo chown root [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32902r567521_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:125" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:125" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3014,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g
|
||
|
$ sudo chgrp root [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32903r567524_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:126" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:126" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3042,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i
|
||
|
gpgcheck=1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32908r567539_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:130" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:130" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3072,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file:
|
||
|
localpkg_gpgcheck=True</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32909r567542_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:131" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:131" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230266">
|
||
|
<xccdf:title>SRG-OS-000366-GPOS-00153</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230266r792870_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230266r818816_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010372</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent the loading of a new kernel for later execution.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
@@ -3092,8 +3139,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -3102,25 +3148,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-001749</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32910r792869_fix">Configure the operating system to disable kernel image loading.
|
||
|
+ <xccdf:fixtext fixref="F-32910r818815_fix">Configure the operating system to disable kernel image loading.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.kexec_load_disabled = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32910r792869_fix" />
|
||
|
+ <xccdf:fix id="F-32910r818815_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:132" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:132" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230267">
|
||
|
<xccdf:title>SRG-OS-000312-GPOS-00122</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230267r792873_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230267r818819_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010373</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
@@ -3137,8 +3183,6 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/lib/sysctl.d/*.conf
|
||
|
/etc/sysctl.conf
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.
|
||
|
-
|
||
|
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
@@ -3148,25 +3192,25 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-002165</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32911r792872_fix">Configure the operating system to enable DAC on symlinks.
|
||
|
+ <xccdf:fixtext fixref="F-32911r818818_fix">Configure the operating system to enable DAC on symlinks.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
fs.protected_symlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32911r792872_fix" />
|
||
|
+ <xccdf:fix id="F-32911r818818_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:133" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:133" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230268">
|
||
|
<xccdf:title>SRG-OS-000312-GPOS-00122</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230268r792876_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230268r818822_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010374</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
@@ -3183,8 +3227,6 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/lib/sysctl.d/*.conf
|
||
|
/etc/sysctl.conf
|
||
|
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.
|
||
|
-
|
||
|
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
@@ -3194,25 +3236,25 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-002165</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32912r792875_fix">Configure the operating system to enable DAC on hardlinks.
|
||
|
+ <xccdf:fixtext fixref="F-32912r818821_fix">Configure the operating system to enable DAC on hardlinks.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
fs.protected_hardlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32912r792875_fix" />
|
||
|
+ <xccdf:fix id="F-32912r818821_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:134" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:134" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230269">
|
||
|
<xccdf:title>SRG-OS-000138-GPOS-00069</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230269r792879_rule" weight="10.0" severity="low">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230269r818825_rule" weight="10.0" severity="low">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010375</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict access to the kernel message buffer.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
@@ -3229,9 +3271,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -3240,25 +3280,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-001090</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32913r792878_fix">Configure the operating system to restrict access to the kernel message buffer.
|
||
|
+ <xccdf:fixtext fixref="F-32913r818824_fix">Configure the operating system to restrict access to the kernel message buffer.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.dmesg_restrict = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32913r792878_fix" />
|
||
|
+ <xccdf:fix id="F-32913r818824_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:135" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:135" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230270">
|
||
|
<xccdf:title>SRG-OS-000138-GPOS-00069</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230270r792882_rule" weight="10.0" severity="low">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230270r818828_rule" weight="10.0" severity="low">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010376</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent kernel profiling by unprivileged users.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
@@ -3275,9 +3315,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -3286,18 +3324,18 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-001090</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32914r792881_fix">Configure the operating system to prevent kernel profiling by unprivileged users.
|
||
|
+ <xccdf:fixtext fixref="F-32914r818827_fix">Configure the operating system to prevent kernel profiling by unprivileged users.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.perf_event_paranoid = 2
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32914r792881_fix" />
|
||
|
+ <xccdf:fix id="F-32914r818827_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:136" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:136" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3323,7 +3361,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
|
||
|
<xccdf:fixtext fixref="F-32915r567560_fix">Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32915r567560_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:137" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:137" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3349,7 +3387,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
|
||
|
<xccdf:fixtext fixref="F-32916r567563_fix">Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32916r567563_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:138" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:138" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3381,7 +3419,47 @@ This requirement only applies to components where this is specific to the functi
|
||
|
$ sudo yum install openssl-pkcs11</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32917r743942_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:139" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:139" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ </xccdf:check>
|
||
|
+ </xccdf:Rule>
|
||
|
+ </xccdf:Group>
|
||
|
+ <xccdf:Group id="xccdf_mil.disa.stig_group_V-230280">
|
||
|
+ <xccdf:title>SRG-OS-000433-GPOS-00193</xccdf:title>
|
||
|
+ <xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230280r818831_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010430</xccdf:version>
|
||
|
+ <xccdf:title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</xccdf:title>
|
||
|
+ <xccdf:description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
+
|
||
|
+Examples of attacks are buffer overflow attacks.
|
||
|
+
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+/etc/sysctl.d/*.conf
|
||
|
+/run/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
+/lib/sysctl.d/*.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+ <xccdf:reference>
|
||
|
+ <dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
+ <dc:publisher>DISA</dc:publisher>
|
||
|
+ <dc:type>DPMS Target</dc:type>
|
||
|
+ <dc:subject>Red Hat Enterprise Linux 8</dc:subject>
|
||
|
+ <dc:identifier>2921</dc:identifier>
|
||
|
+ </xccdf:reference>
|
||
|
+ <xccdf:ident system="http://cyber.mil/cci">CCI-002824</xccdf:ident>
|
||
|
+ <xccdf:fixtext fixref="F-32924r818830_fix">Configure the operating system to implement virtual address space randomization.
|
||
|
+
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
+
|
||
|
+kernel.randomize_va_space=2
|
||
|
+
|
||
|
+Issue the following command to make the changes take effect:
|
||
|
+
|
||
|
+$ sudo sysctl --system</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-32924r818830_fix" />
|
||
|
+ <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:144" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3407,7 +3485,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con
|
||
|
clean_requirements_on_remove=True</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32925r567590_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:145" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:145" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3437,7 +3515,7 @@ SELINUXTYPE=targeted
|
||
|
A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32926r567593_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:146" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:146" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3461,7 +3539,7 @@ A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
$ sudo rm /etc/ssh/shosts.equiv</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32927r567596_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:147" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:147" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3485,7 +3563,7 @@ $ sudo rm /etc/ssh/shosts.equiv</xccdf:fixtext>
|
||
|
$ sudo rm /[path]/[to]/[file]/.shosts</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32928r567599_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:148" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:148" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3513,7 +3591,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32930r567605_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:149" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:149" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3541,7 +3619,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32931r743950_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:150" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:150" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3569,7 +3647,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32932r567611_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:151" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:151" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3595,7 +3673,7 @@ Compression no
|
||
|
The SSH service must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32933r743953_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:152" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:152" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3625,7 +3703,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32934r567617_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:153" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:153" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3655,7 +3733,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32935r743956_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:154" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:154" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3677,7 +3755,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32936r567623_fix">Migrate the "/var" path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32936r567623_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:155" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:155" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3699,7 +3777,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32937r567626_fix">Migrate the "/var/log" path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32937r567626_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:156" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:156" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3721,7 +3799,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32938r567629_fix">Migrate the system audit data path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32938r567629_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:157" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:157" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3743,7 +3821,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32939r567632_fix">Migrate the "/tmp" directory onto a separate file system/partition.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32939r567632_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:158" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:158" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3773,7 +3851,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32940r567635_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:159" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:159" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3801,7 +3879,7 @@ $ sudo systemctl start rsyslog.service
|
||
|
$ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32942r567641_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:161" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:161" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3823,7 +3901,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32944r567647_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32944r567647_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:162" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:162" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3845,7 +3923,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32945r567650_fix">Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32945r567650_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:163" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:163" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3867,7 +3945,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32950r567665_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32950r567665_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:165" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:165" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3889,7 +3967,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32951r567668_fix">Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32951r567668_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:166" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:166" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3911,14 +3989,14 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32952r567671_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32952r567671_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:167" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:167" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230311">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230311r792894_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230311r818834_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010671</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable the kernel.core_pattern.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -3929,9 +4007,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -3940,18 +4016,18 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32955r792893_fix">Configure RHEL 8 to disable storing core dumps.
|
||
|
+ <xccdf:fixtext fixref="F-32955r818833_fix">Configure RHEL 8 to disable storing core dumps.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
kernel.core_pattern = |/bin/false
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32955r792893_fix" />
|
||
|
+ <xccdf:fix id="F-32955r818833_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:168" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:168" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3979,7 +4055,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con
|
||
|
* hard core 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32957r619861_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:169" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:169" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4007,7 +4083,7 @@ Add or modify the following line in /etc/systemd/coredump.conf:
|
||
|
Storage=none</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32958r567689_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:170" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:170" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4035,7 +4111,7 @@ Add or modify the following line in /etc/systemd/coredump.conf:
|
||
|
ProcessSizeMax=0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32959r567692_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:171" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:171" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4059,7 +4135,7 @@ ProcessSizeMax=0</xccdf:fixtext>
|
||
|
CREATE_HOME yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32968r567719_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:177" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:177" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4089,7 +4165,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32974r567737_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:179" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:179" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4127,7 +4203,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32976r567743_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:180" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:180" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4159,7 +4235,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
deny = 3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32977r743965_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:181" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:181" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4197,7 +4273,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32978r567749_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:182" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:182" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4229,7 +4305,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
fail_interval = 900</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32979r743968_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:183" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:183" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4267,7 +4343,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32980r567755_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:184" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:184" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4299,7 +4375,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
unlock_time = 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32981r743971_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:185" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:185" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4337,7 +4413,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32984r567767_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:186" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:186" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4369,7 +4445,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
silent</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32985r743977_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:187" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:187" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4409,7 +4485,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32986r567773_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:188" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:188" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4441,7 +4517,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
audit</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32987r743980_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:189" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:189" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4481,7 +4557,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32988r567779_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:190" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:190" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4513,7 +4589,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
even_deny_root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32989r743983_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:191" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:191" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4541,7 +4617,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con
|
||
|
* hard maxlogins 10</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32990r619863_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:192" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:192" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4573,7 +4649,7 @@ Create a global configuration file "/etc/tmux.conf" and add the following line:
|
||
|
set -g lock-command vlock</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32992r743986_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:193" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:193" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4609,7 +4685,7 @@ fi
|
||
|
This setting will take effect at next logon.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32993r809283_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:194" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:194" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4637,7 +4713,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion
|
||
|
<xccdf:fixtext fixref="F-32994r567797_fix">Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32994r567797_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:195" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:195" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4667,7 +4743,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
|
||
|
password required pam_pwquality.so</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33000r809286_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:196" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:196" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4697,7 +4773,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
ucredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33001r567818_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:197" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:197" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4727,7 +4803,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
lcredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33002r567821_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:198" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:198" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4757,7 +4833,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
dcredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33003r567824_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:199" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:199" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4787,7 +4863,7 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin
|
||
|
maxclassrepeat = 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33004r567827_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:200" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:200" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4817,7 +4893,7 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
|
||
|
maxrepeat = 3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33005r567830_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:201" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:201" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4847,7 +4923,7 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
|
||
|
minclass = 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33006r567833_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:202" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:202" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4877,7 +4953,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
|
||
|
difok = 8</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33007r567836_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:203" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:203" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4901,7 +4977,7 @@ difok = 8</xccdf:fixtext>
|
||
|
$ sudo chage -m 1 [user]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33008r567839_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:204" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:204" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4927,7 +5003,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ
|
||
|
PASS_MIN_DAYS 1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33009r567842_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:205" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:205" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4953,7 +5029,7 @@ Add, or modify the following line in the "/etc/login.defs" file:
|
||
|
PASS_MAX_DAYS 60</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33010r567845_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:206" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:206" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4977,7 +5053,7 @@ PASS_MAX_DAYS 60</xccdf:fixtext>
|
||
|
$ sudo chage -M 60 [user]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33011r567848_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:207" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:207" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5009,7 +5085,7 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have
|
||
|
password required pam_pwhistory.so use_authtok remember=5 retry=3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33012r809291_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:208" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:208" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5043,7 +5119,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
|
||
|
minlen = 15</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33013r567854_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:209" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:209" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5073,7 +5149,7 @@ Add, or modify the following line in the "/etc/login.defs" file:
|
||
|
PASS_MIN_LEN 15</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33014r567857_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:210" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:210" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5103,7 +5179,7 @@ $ sudo useradd -D -f 35
|
||
|
DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33017r567866_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:211" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:211" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5133,7 +5209,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
ocredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33019r567872_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:212" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:212" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5159,7 +5235,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a
|
||
|
dictcheck=1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33021r567878_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:214" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:214" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5187,7 +5263,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr
|
||
|
FAIL_DELAY 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33022r567881_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:215" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:215" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5215,7 +5291,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33024r743992_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:216" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:216" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5243,7 +5319,7 @@ PrintLastLog yes
|
||
|
The SSH service must be restarted for changes to "sshd_config" to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33026r567893_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:218" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:218" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5269,7 +5345,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077
|
||
|
UMASK 077</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33027r567896_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:219" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:219" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5303,7 +5379,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33030r567905_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:220" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:220" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5333,7 +5409,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator
|
||
|
action_mail_acct = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33032r567911_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:222" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:222" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5365,7 +5441,7 @@ disk_error_action = HALT
|
||
|
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33034r567917_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:223" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:223" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5399,7 +5475,7 @@ disk_full_action = HALT
|
||
|
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33036r567923_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:225" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:225" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5427,7 +5503,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file:
|
||
|
local_events = yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33037r567926_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:226" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:226" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5459,7 +5535,7 @@ name_format = hostname
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33038r567929_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:227" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:227" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5489,7 +5565,7 @@ log_format = ENRICHED
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33039r567932_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:228" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:228" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5517,7 +5593,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
log_group = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33040r567935_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:229" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:229" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5547,7 +5623,7 @@ $ sudo chown root [audit_log_file]
|
||
|
Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33041r567938_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:230" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:230" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5575,7 +5651,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
log_group = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33042r567941_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:231" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:231" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5605,7 +5681,7 @@ $ sudo chown root [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33043r567944_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:232" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:232" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5635,7 +5711,7 @@ $ sudo chgrp root [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33044r567947_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:233" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:233" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5665,7 +5741,7 @@ $ sudo chmod 0700 [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33045r567950_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:234" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:234" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5697,7 +5773,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33046r567953_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:235" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:235" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5727,7 +5803,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
--loginuid-immutable</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33047r567956_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:236" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:236" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5759,7 +5835,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33048r567959_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:237" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:237" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5791,7 +5867,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33049r567962_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:238" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:238" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5823,7 +5899,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33050r567965_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:239" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:239" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5855,7 +5931,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33051r567968_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:240" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:240" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5887,7 +5963,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33052r567971_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:241" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:241" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5919,7 +5995,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33053r567974_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:242" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:242" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5951,7 +6027,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33054r567977_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:243" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:243" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5983,7 +6059,7 @@ Install the audit service (if the audit service is not already installed) with t
|
||
|
$ sudo yum install audit</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33055r646880_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:244" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:244" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6015,7 +6091,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33056r567983_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:245" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:245" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6060,7 +6136,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33057r809294_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:246" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:246" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6092,7 +6168,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33062r568001_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:251" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:251" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6124,7 +6200,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33063r568004_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:252" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:252" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6156,7 +6232,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33065r568010_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:254" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:254" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6188,7 +6264,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33066r568013_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:255" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:255" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6220,7 +6296,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33067r568016_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:256" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:256" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6252,7 +6328,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33068r568019_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:257" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:257" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6285,7 +6361,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33069r568022_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:258" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:258" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6317,7 +6393,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33070r568025_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:259" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:259" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6349,7 +6425,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33071r568028_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:260" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:260" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6381,7 +6457,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33072r568031_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:261" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:261" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6413,7 +6489,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33073r568034_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:262" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:262" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6445,7 +6521,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33074r568037_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:263" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:263" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6477,7 +6553,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33075r568040_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:264" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:264" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6509,7 +6585,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33076r568043_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:265" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:265" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6541,7 +6617,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33077r568046_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:266" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:266" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6573,7 +6649,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33078r744001_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:267" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:267" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6605,7 +6681,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33079r568052_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:268" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:268" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6637,7 +6713,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33080r568055_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:269" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:269" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6669,7 +6745,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33081r568058_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:270" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:270" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6704,7 +6780,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33082r810448_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:271" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:271" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6744,7 +6820,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33083r809301_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:272" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:272" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6776,7 +6852,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33088r568079_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:277" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:277" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6809,7 +6885,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33090r568085_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:279" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:279" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6841,7 +6917,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33091r568088_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:280" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:280" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6873,7 +6949,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33092r568091_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:281" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:281" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6916,7 +6992,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33093r809304_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:282" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:282" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6955,7 +7031,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33099r809307_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:288" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:288" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6993,7 +7069,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33100r809310_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:289" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:289" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7025,7 +7101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33106r568133_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:295" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:295" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7057,7 +7133,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33107r568136_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:296" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:296" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7089,7 +7165,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33108r568139_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:297" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:297" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7131,7 +7207,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33109r568142_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:298" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:298" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7173,7 +7249,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33111r568148_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:299" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:299" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7199,7 +7275,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules
|
||
|
$ sudo chmod 0640 /etc/audit/auditd.conf</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33115r568160_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:303" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:303" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7229,7 +7305,7 @@ $ sudo chmod 0755 [audit_tool]
|
||
|
Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33116r568163_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:304" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:304" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7261,7 +7337,7 @@ $ sudo chown root [audit_tool]
|
||
|
Replace "[audit_tool]" with each audit tool not owned by "root".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33117r568166_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:305" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:305" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7293,7 +7369,7 @@ $ sudo chgrp root [audit_tool]
|
||
|
Replace "[audit_tool]" with each audit tool not group-owned by "root".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33118r568169_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:306" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:306" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7328,7 +7404,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
|
||
|
$ sudo yum install rsyslog</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33121r568178_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:412" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:412" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7363,7 +7439,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
|
||
|
$ sudo yum install rsyslog-gnutls</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33122r744010_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:307" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:307" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7395,7 +7471,7 @@ overflow_action = syslog
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33124r568187_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:308" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:308" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7421,7 +7497,7 @@ space_left = 25%
|
||
|
Note: Option names and values in the auditd.conf file are case insensitive.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33127r744013_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:309" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:309" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7451,7 +7527,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc
|
||
|
port 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33129r568202_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:310" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:310" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7481,7 +7557,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc
|
||
|
cmdport 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33130r568205_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:311" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:311" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7515,7 +7591,7 @@ If a privileged user were to log on using this service, the privileged user pass
|
||
|
$ sudo yum remove telnet-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33131r568208_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:312" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:312" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7545,7 +7621,7 @@ Verify the operating system is configured to disable non-essential capabilities.
|
||
|
$ sudo yum remove abrt*</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33132r568211_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:313" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:313" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7575,7 +7651,7 @@ Verify the operating system is configured to disable non-essential capabilities.
|
||
|
$ sudo yum remove sendmail</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33133r568214_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:314" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:314" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7607,7 +7683,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion
|
||
|
$ sudo yum remove rsh-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33136r568223_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:317" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:317" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7640,7 +7716,7 @@ blacklist atm
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33138r792910_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:318" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:318" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7673,7 +7749,7 @@ blacklist can
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33139r792913_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:319" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:319" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7706,7 +7782,7 @@ blacklist sctp
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33140r792916_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:320" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:320" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7739,7 +7815,7 @@ blacklist tipc
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33141r792919_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:321" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:321" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7772,7 +7848,7 @@ blacklist cramfs
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33142r568241_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:322" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:322" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7803,7 +7879,7 @@ blacklist firewire-core
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33143r568244_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:323" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:323" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7834,7 +7910,7 @@ blacklist usb-storage
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33147r809318_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:325" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:325" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7866,7 +7942,7 @@ install bluetooth /bin/true
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33151r568268_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:326" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:326" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7896,7 +7972,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33152r568271_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:327" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:327" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7924,7 +8000,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33153r568274_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:328" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:328" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7954,7 +8030,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33154r568277_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:329" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:329" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7984,7 +8060,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33155r568280_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:330" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:330" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8012,7 +8088,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33156r568283_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:331" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:331" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8042,7 +8118,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33157r568286_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:332" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:332" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8072,7 +8148,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33158r568289_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:333" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:333" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8102,7 +8178,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33159r568292_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:334" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:334" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8132,7 +8208,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33160r568295_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:335" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:335" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8162,7 +8238,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33161r568298_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:336" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:336" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8192,7 +8268,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33162r568301_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:337" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:337" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8222,7 +8298,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33163r568304_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:338" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:338" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8252,7 +8328,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33164r792926_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:339" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:339" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8282,7 +8358,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33165r792929_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:340" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:340" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8312,7 +8388,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33166r792932_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:341" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:341" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8342,7 +8418,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
|
||
|
$ sudo systemctl enable sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33170r744031_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:342" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:342" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8378,7 +8454,7 @@ Restart the SSH daemon for the settings to take effect.
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33171r568328_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:343" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:343" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8406,7 +8482,7 @@ Reload the daemon for this change to take effect.
|
||
|
$ sudo systemctl daemon-reload</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33175r619890_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:345" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:345" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8430,7 +8506,7 @@ $ sudo systemctl daemon-reload</xccdf:fixtext>
|
||
|
$ sudo yum remove tftp-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33177r568346_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:346" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:346" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8454,14 +8530,14 @@ $ sudo yum remove tftp-server</xccdf:fixtext>
|
||
|
If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33178r568349_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:347" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:347" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230535">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230535r792936_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230535r818848_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040210</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
@@ -8472,9 +8548,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8483,25 +8557,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33179r792935_fix">Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.
|
||
|
+ <xccdf:fixtext fixref="F-33179r818847_fix">Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33179r792935_fix" />
|
||
|
+ <xccdf:fix id="F-33179r818847_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:348" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:348" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230536">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230536r792939_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230536r818851_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040220</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
@@ -8514,9 +8588,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8525,25 +8597,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33180r792938_fix">Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.
|
||
|
+ <xccdf:fixtext fixref="F-33180r818850_fix">Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.all.send_redirects=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33180r792938_fix" />
|
||
|
+ <xccdf:fix id="F-33180r818850_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:349" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:349" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230537">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230537r792942_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230537r818854_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040230</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
@@ -8555,9 +8627,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8566,25 +8636,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33181r792941_fix">Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
|
||
|
+ <xccdf:fixtext fixref="F-33181r818853_fix">Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33181r792941_fix" />
|
||
|
+ <xccdf:fix id="F-33181r818853_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:350" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:350" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230538">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230538r792945_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230538r818860_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040240</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
@@ -8595,9 +8665,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8606,25 +8674,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33182r792944_fix">Configure RHEL 8 to not forward IPv6 source-routed packets.
|
||
|
+ <xccdf:fixtext fixref="F-33182r818859_fix">Configure RHEL 8 to not forward IPv6 source-routed packets.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33182r792944_fix" />
|
||
|
+ <xccdf:fix id="F-33182r818859_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:351" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:351" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230539">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230539r792948_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230539r818866_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040250</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
@@ -8635,9 +8703,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8646,25 +8712,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33183r792947_fix">Configure RHEL 8 to not forward IPv6 source-routed packets by default.
|
||
|
+ <xccdf:fixtext fixref="F-33183r818865_fix">Configure RHEL 8 to not forward IPv6 source-routed packets by default.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33183r792947_fix" />
|
||
|
+ <xccdf:fix id="F-33183r818865_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:352" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:352" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230540">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230540r792951_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230540r818872_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040260</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8675,9 +8741,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8686,25 +8750,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33184r792950_fix">Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.
|
||
|
+ <xccdf:fixtext fixref="F-33184r818871_fix">Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.forwarding=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33184r792950_fix" />
|
||
|
+ <xccdf:fix id="F-33184r818871_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:353" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:353" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230541">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230541r792954_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230541r818875_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040261</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8717,9 +8781,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8728,25 +8790,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33185r792953_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
|
||
|
+ <xccdf:fixtext fixref="F-33185r818874_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33185r792953_fix" />
|
||
|
+ <xccdf:fix id="F-33185r818874_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:354" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:354" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230542">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230542r792957_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230542r818878_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040262</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8759,9 +8821,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8770,25 +8830,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33186r792956_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
|
||
|
+ <xccdf:fixtext fixref="F-33186r818877_fix">Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.default.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33186r792956_fix" />
|
||
|
+ <xccdf:fix id="F-33186r818877_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:355" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:355" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230543">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230543r792960_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230543r818881_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040270</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
@@ -8801,9 +8861,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8812,25 +8870,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33187r792959_fix">Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
+ <xccdf:fixtext fixref="F-33187r818880_fix">Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv4.conf.default.send_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33187r792959_fix" />
|
||
|
+ <xccdf:fix id="F-33187r818880_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:356" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:356" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230544">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230544r792963_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230544r818887_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040280</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
@@ -8841,9 +8899,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8852,25 +8908,25 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33188r792962_fix">Configure RHEL 8 to ignore IPv6 ICMP redirect messages.
|
||
|
+ <xccdf:fixtext fixref="F-33188r818886_fix">Configure RHEL 8 to ignore IPv6 ICMP redirect messages.
|
||
|
|
||
|
-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory:
|
||
|
+Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
|
||
|
|
||
|
net.ipv6.conf.all.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33188r792962_fix" />
|
||
|
+ <xccdf:fix id="F-33188r818886_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:357" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:357" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230545">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230545r792966_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230545r818890_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040281</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8881,9 +8937,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8892,23 +8946,23 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33189r792965_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+ <xccdf:fixtext fixref="F-33189r818889_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.unprivileged_bpf_disabled = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33189r792965_fix" />
|
||
|
+ <xccdf:fix id="F-33189r818889_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:358" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:358" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230546">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230546r792969_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230546r818893_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040282</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict usage of ptrace to descendant processes.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8919,9 +8973,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8930,23 +8982,23 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33190r792968_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+ <xccdf:fixtext fixref="F-33190r818892_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.yama.ptrace_scope = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33190r792968_fix" />
|
||
|
+ <xccdf:fix id="F-33190r818892_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:359" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:359" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230547">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230547r792972_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230547r818896_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040283</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict exposed kernel pointer addresses access.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8957,9 +9009,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -8968,23 +9018,23 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33191r792971_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+ <xccdf:fixtext fixref="F-33191r818895_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
kernel.kptr_restrict = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33191r792971_fix" />
|
||
|
+ <xccdf:fix id="F-33191r818895_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:360" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:360" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230548">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230548r792975_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230548r818899_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040284</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable the use of user namespaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8995,9 +9045,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -9006,7 +9054,7 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33192r792974_fix">Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+ <xccdf:fixtext fixref="F-33192r818898_fix">Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
|
||
|
|
||
|
@@ -9015,16 +9063,16 @@ user.max_user_namespaces = 0
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33192r792974_fix" />
|
||
|
+ <xccdf:fix id="F-33192r818898_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:361" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:361" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230549">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230549r792978_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230549r818902_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040285</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -9035,9 +9083,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -9046,16 +9092,16 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33193r792977_fix">Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory:
|
||
|
+ <xccdf:fixtext fixref="F-33193r818901_fix">Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
|
||
|
net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33193r792977_fix" />
|
||
|
+ <xccdf:fix id="F-33193r818901_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:362" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:362" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9079,7 +9125,7 @@ $ sudo sysctl --system</xccdf:fixtext>
|
||
|
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33194r568397_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:363" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:363" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9111,7 +9157,7 @@ The SSH service must be restarted for changes to take effect:
|
||
|
$ sudo systemctl restart sshd</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33199r568412_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:364" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:364" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9137,7 +9183,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us
|
||
|
X11UseLocalhost yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33200r568415_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:365" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:365" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9161,7 +9207,7 @@ X11UseLocalhost yes</xccdf:fixtext>
|
||
|
server_args = -s /var/lib/tftpboot</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33201r568418_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:366" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:366" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9185,7 +9231,7 @@ server_args = -s /var/lib/tftpboot</xccdf:fixtext>
|
||
|
$ sudo yum remove vsftpd</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33202r568421_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:367" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:367" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9213,7 +9259,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose
|
||
|
$ sudo yum remove gssproxy</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33203r568424_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:368" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:368" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9241,7 +9287,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI
|
||
|
$ sudo yum remove iprutils</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33204r568427_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:369" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:369" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9269,7 +9315,7 @@ The tuned package contains a daemon that tunes the system settings dynamically.
|
||
|
$ sudo yum remove tuned</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33205r568430_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:370" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:370" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9299,7 +9345,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
$ sudo yum remove krb5-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40822r646889_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:413" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:413" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9323,7 +9369,7 @@ ALL ALL=(ALL) ALL
|
||
|
ALL ALL=(ALL:ALL) ALL</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40823r646892_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:414" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:414" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9349,7 +9395,7 @@ Defaults !rootpw
|
||
|
Defaults !runaspw</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40824r646895_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:415" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:415" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9381,20 +9427,146 @@ Defaults timestamp_timeout=[value]
|
||
|
Note: The "[value]" must be a number that is greater than or equal to "0".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40825r646898_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:416" href="U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:416" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ </xccdf:check>
|
||
|
+ </xccdf:Rule>
|
||
|
+ </xccdf:Group>
|
||
|
+ <xccdf:Group id="xccdf_mil.disa.stig_group_V-244540">
|
||
|
+ <xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
+ <xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-244540r743869_rule" weight="10.0" severity="high">
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020331</xccdf:version>
|
||
|
+ <xccdf:title>RHEL 8 must not allow blank or null passwords in the system-auth file.</xccdf:title>
|
||
|
+ <xccdf:description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+ <xccdf:reference>
|
||
|
+ <dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
+ <dc:publisher>DISA</dc:publisher>
|
||
|
+ <dc:type>DPMS Target</dc:type>
|
||
|
+ <dc:subject>Red Hat Enterprise Linux 8</dc:subject>
|
||
|
+ <dc:identifier>2921</dc:identifier>
|
||
|
+ </xccdf:reference>
|
||
|
+ <xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
+ <xccdf:fixtext fixref="F-47772r743868_fix">Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords.
|
||
|
+
|
||
|
+Note: Manual changes to the listed file may be overwritten by the "authselect" program.</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-47772r743868_fix" />
|
||
|
+ <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:463" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ </xccdf:check>
|
||
|
+ </xccdf:Rule>
|
||
|
+ </xccdf:Group>
|
||
|
+ <xccdf:Group id="xccdf_mil.disa.stig_group_V-244541">
|
||
|
+ <xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
+ <xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-244541r743872_rule" weight="10.0" severity="high">
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020332</xccdf:version>
|
||
|
+ <xccdf:title>RHEL 8 must not allow blank or null passwords in the password-auth file.</xccdf:title>
|
||
|
+ <xccdf:description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+ <xccdf:reference>
|
||
|
+ <dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
+ <dc:publisher>DISA</dc:publisher>
|
||
|
+ <dc:type>DPMS Target</dc:type>
|
||
|
+ <dc:subject>Red Hat Enterprise Linux 8</dc:subject>
|
||
|
+ <dc:identifier>2921</dc:identifier>
|
||
|
+ </xccdf:reference>
|
||
|
+ <xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
+ <xccdf:fixtext fixref="F-47773r743871_fix">Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords.
|
||
|
+
|
||
|
+Note: Manual changes to the listed file may be overwritten by the "authselect" program.</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-47773r743871_fix" />
|
||
|
+ <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:464" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ </xccdf:check>
|
||
|
+ </xccdf:Rule>
|
||
|
+ </xccdf:Group>
|
||
|
+ <xccdf:Group id="xccdf_mil.disa.stig_group_V-244554">
|
||
|
+ <xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
+ <xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-244554r818905_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040286</xccdf:version>
|
||
|
+ <xccdf:title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</xccdf:title>
|
||
|
+ <xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+
|
||
|
+Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
|
||
|
+
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+/etc/sysctl.d/*.conf
|
||
|
+/run/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
+/lib/sysctl.d/*.conf
|
||
|
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+ <xccdf:reference>
|
||
|
+ <dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
+ <dc:publisher>DISA</dc:publisher>
|
||
|
+ <dc:type>DPMS Target</dc:type>
|
||
|
+ <dc:subject>Red Hat Enterprise Linux 8</dc:subject>
|
||
|
+ <dc:identifier>2921</dc:identifier>
|
||
|
+ </xccdf:reference>
|
||
|
+ <xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
+ <xccdf:fixtext fixref="F-47786r818904_fix">Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
|
||
|
+
|
||
|
+net.core.bpf_jit_harden = 2
|
||
|
+
|
||
|
+The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
+
|
||
|
+$ sudo sysctl --system</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-47786r818904_fix" />
|
||
|
+ <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:477" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ </xccdf:check>
|
||
|
+ </xccdf:Rule>
|
||
|
+ </xccdf:Group>
|
||
|
+ <xccdf:Group id="xccdf_mil.disa.stig_group_V-251706">
|
||
|
+ <xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
+ <xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-251706r809342_rule" weight="10.0" severity="high">
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010121</xccdf:version>
|
||
|
+ <xccdf:title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</xccdf:title>
|
||
|
+ <xccdf:description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
+ <xccdf:reference>
|
||
|
+ <dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
|
||
|
+ <dc:publisher>DISA</dc:publisher>
|
||
|
+ <dc:type>DPMS Target</dc:type>
|
||
|
+ <dc:subject>Red Hat Enterprise Linux 8</dc:subject>
|
||
|
+ <dc:identifier>2921</dc:identifier>
|
||
|
+ </xccdf:reference>
|
||
|
+ <xccdf:ident system="http://cyber.mil/cci">CCI-000366</xccdf:ident>
|
||
|
+ <xccdf:fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
||
|
+
|
||
|
+Perform a password reset:
|
||
|
+$ sudo passwd [username]
|
||
|
+Lock an account:
|
||
|
+$ sudo passwd -l [username]</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-55097r809341_fix" />
|
||
|
+ <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:482" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
</xccdf:Benchmark>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-oval.xml" timestamp="2022-01-03T11:44:34">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" timestamp="2022-03-28T12:45:13">
|
||
|
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5">
|
||
|
<generator>
|
||
|
<oval:product_name>repotool</oval:product_name>
|
||
|
<oval:schema_version>5.10</oval:schema_version>
|
||
|
- <oval:timestamp>2022-01-03T11:44:33</oval:timestamp>
|
||
|
+ <oval:timestamp>2022-03-28T12:45:12</oval:timestamp>
|
||
|
</generator>
|
||
|
<definitions>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:10" version="1">
|
||
|
+ <metadata>
|
||
|
+ <title>The RHEL 8 version is RHEL 8.2 or newer.</title>
|
||
|
+ <affected family="unix">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>External definition used to determine if the RHEL 8 version is RHEL 8.2 or newer for version applicability based requirements.</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria operator="OR" comment="The RHEL 8 version is RHEL 8.2 or newer.">
|
||
|
+ <criterion comment="The RHEL 8 version is RHEL 8.2 or newer" test_ref="oval:mil.disa.stig.rhel8:tst:1000" />
|
||
|
+ <criterion comment="The RHEL 8 version is RHEL 8.2 or newer" test_ref="oval:mil.disa.stig.rhel8:tst:1001" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
<definition class="compliance" id="oval:mil.disa.stig.rhel8:def:98" version="1">
|
||
|
<metadata>
|
||
|
<title>IPv6 is disabled in the kernel.</title>
|
||
|
@@ -9835,29 +10007,30 @@ Verifying the authenticity of the software prior to installation validates the i
|
||
|
<criterion comment="/etc/dnf/dnf.conf:[main]localpkg_gpgcheck is set to true." test_ref="oval:mil.disa.stig.rhel8:tst:13100" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:132" version="3">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:132" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
<description>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
+
|
||
|
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
|
||
|
+
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
/run/sysctl.d/*.conf
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="kernel.kexec_load_disabled setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:13200" />
|
||
|
<criterion comment="kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:13201" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:133" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:133" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -9874,16 +10047,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/run/sysctl.d/*.conf
|
||
|
/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="fs.protected_symlinks setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:13300" />
|
||
|
- <criterion comment="fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:13301" />
|
||
|
+ <criterion comment="fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:13301" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:134" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:134" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -9901,16 +10072,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="fs.protected_hardlinks setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:13400" />
|
||
|
- <criterion comment="fs.protected_hardlinks setting in sysctl configuration files is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:13401" />
|
||
|
+ <criterion comment="fs.protected_hardlinks setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:13401" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:135" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:135" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -9929,16 +10098,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/run/sysctl.d/*.conf
|
||
|
/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="kernel.dmesg_restrict setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:13500" />
|
||
|
- <criterion comment="kernel.dmesg_restrict setting in sysctl configuration files is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:13501" />
|
||
|
+ <criterion comment="kernel.dmesg_restrict setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:13501" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:136" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:136" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -9958,13 +10125,11 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="kernel.perf_event_paranoid setting in kernel is 2" test_ref="oval:mil.disa.stig.rhel8:tst:13600" />
|
||
|
- <criterion comment="kernel.perf_event_paranoid setting in sysctl configuration files is set to 2, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:13601" />
|
||
|
+ <criterion comment="kernel.perf_event_paranoid setting in sysctl configuration files is set to 2, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:13601" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
<definition class="compliance" id="oval:mil.disa.stig.rhel8:def:137" version="1">
|
||
|
@@ -10017,6 +10182,29 @@ This requirement only applies to components where this is specific to the functi
|
||
|
<criterion comment="package openssl-pkcs11 is installed" test_ref="oval:mil.disa.stig.rhel8:tst:13901" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:144" version="3">
|
||
|
+ <metadata>
|
||
|
+ <title>RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title>
|
||
|
+ <affected family="unix">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
+
|
||
|
+Examples of attacks are buffer overflow attacks.
|
||
|
+
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+/etc/sysctl.d/*.conf
|
||
|
+/run/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
+/lib/sysctl.d/*.conf
|
||
|
+/etc/sysctl.conf</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:14400" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:14401" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
<definition id="oval:mil.disa.stig.rhel8:def:145" class="compliance" version="1">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010440 - YUM must remove all software components after updated versions have been installed on RHEL 8.</title>
|
||
|
@@ -10308,7 +10496,7 @@ Configuration settings are the set of parameters that can be changed in hardware
|
||
|
<criterion comment="actual nfs mounts have nosuid" test_ref="oval:mil.disa.stig.rhel8:tst:16701" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:168" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:168" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10322,16 +10510,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="kernel.core_pattern setting in kernel is '|/bin/false'." test_ref="oval:mil.disa.stig.rhel8:tst:16800" />
|
||
|
- <criterion comment="kernel.core_pattern setting in /etc/sysctld./99-sysctl.conf is set to '|/bin/false', and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:16801" />
|
||
|
+ <criterion comment="kernel.core_pattern setting in is set to '|/bin/false', and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:16801" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition id="oval:mil.disa.stig.rhel8:def:169" class="compliance" version="1">
|
||
|
+ <definition id="oval:mil.disa.stig.rhel8:def:169" class="compliance" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010673 - RHEL 8 must disable core dumps for all users.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10341,7 +10527,7 @@ Based on the information above, if a configuration file that begins with "99-" i
|
||
|
|
||
|
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="OR">
|
||
|
+ <criteria>
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:16900" />
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:16901" />
|
||
|
</criteria>
|
||
|
@@ -10399,7 +10585,7 @@ A core dump includes a memory image taken at the time the operating system termi
|
||
|
<criterion comment="/etc/ssh/sshd_config:PermitUserEnvironment == no" test_ref="oval:mil.disa.stig.rhel8:tst:17900" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:180" version="3">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:180" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020010 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10412,7 +10598,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so to lock an account after 3 failed login attempts or RHEL version is 8.2 or greater.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.2 or newer" test_ref="oval:mil.disa.stig.rhel8:tst:18006" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to lock an account after 3 failed login attempts.">
|
||
|
<criterion comment="pam_faillock.so authfail line exists in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18000" />
|
||
|
<criterion comment="pam_faillock.so preauth deny value set in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18002" />
|
||
|
@@ -10438,7 +10624,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo
|
||
|
<criterion comment="deny is set to 3 or less but not 0 in /etc/security/faillock.conf" test_ref="oval:mil.disa.stig.rhel8:tst:18107" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:182" version="1">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:182" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020012 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10451,7 +10637,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so to us the fail_interval between 1 and 900 or RHEL version is 8.2 or newer.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.1 or RHEL 8.0" test_ref="oval:mil.disa.stig.rhel8:tst:18203" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to use a fail_interval between 1 and 900.">
|
||
|
<criterion comment="pam_faillock.so peauth fail_interval value set to 900 or less but not 0 in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18200" />
|
||
|
<criterion comment="pam_faillock.so peauth fail_interval value set to 900 or less but not 0 in password-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18201" />
|
||
|
@@ -10475,7 +10661,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo
|
||
|
<criterion comment="fail_interval is set to 900 or greater in /etc/security/faillock.conf" test_ref="oval:mil.disa.stig.rhel8:tst:18307" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:184" version="1">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:184" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020014 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10488,7 +10674,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so the unlock_time equals 0 or RHEL version is 8.2 or newer.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.1 or RHEL 8.0" test_ref="oval:mil.disa.stig.rhel8:tst:18404" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to use a unlock_time between 1 and 900.">
|
||
|
<criterion comment="pam_faillock.so preauth unlock_time value set to 0 in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18400" />
|
||
|
<criterion comment="pam_faillock.so preauth unlock_time value set to 0 in password-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18401" />
|
||
|
@@ -10514,7 +10700,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo
|
||
|
<criterion comment="unlock_time is set to 0 in /etc/security/faillock.conf" test_ref="oval:mil.disa.stig.rhel8:tst:18507" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:186" version="1">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:186" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020018 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10527,7 +10713,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so with the silent option or RHEL version is 8.2 or newer.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.1 or RHEL 8.0" test_ref="oval:mil.disa.stig.rhel8:tst:18602" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to use silent.">
|
||
|
<criterion comment="pam_faillock.so preauth silent is in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18600" />
|
||
|
<criterion comment="pam_faillock.so preauth silent is in password-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18601" />
|
||
|
@@ -10551,7 +10737,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo
|
||
|
<criterion comment="silent is set in /etc/security/faillock.conf" test_ref="oval:mil.disa.stig.rhel8:tst:18707" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:188" version="1">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:188" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020020 - RHEL 8 must log user name information when unsuccessful logon attempts occur.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10564,7 +10750,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so with the audit option or RHEL version is 8.2 or newer.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.2 or newer" test_ref="oval:mil.disa.stig.rhel8:tst:18802" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to use audit.">
|
||
|
<criterion comment="pam_faillock.so preauth audit is in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18800" />
|
||
|
<criterion comment="pam_faillock.so preauth audit is in password-auth" test_ref="oval:mil.disa.stig.rhel8:tst:18801" />
|
||
|
@@ -10588,7 +10774,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo
|
||
|
<criterion comment="audit is set in /etc/security/faillock.conf" test_ref="oval:mil.disa.stig.rhel8:tst:18907" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:190" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:190" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-020022 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -10601,7 +10787,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan
|
||
|
From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="Either system-auth and password-auth are properly configured to use pam_faillock.so with the even_deny_root option or RHEL version is 8.2 or newer.">
|
||
|
- <criterion comment="The RHEL 8 version is RHEL 8.2 or newer" test_ref="oval:mil.disa.stig.rhel8:tst:19002" />
|
||
|
+ <extend_definition comment="The RHEL 8 version is RHEL 8.2 or newer" definition_ref="oval:mil.disa.stig.rhel8:def:10" />
|
||
|
<criteria operator="AND" comment="Check that system-auth and password-auth are configured to use even_deny_root.">
|
||
|
<criterion comment="pam_faillock.so preauth even_deny_root is in system-auth" test_ref="oval:mil.disa.stig.rhel8:tst:19000" />
|
||
|
<criterion comment="pam_faillock.so preauth even_deny_root is in password-auth" test_ref="oval:mil.disa.stig.rhel8:tst:19001" />
|
||
|
@@ -12822,13 +13008,21 @@ Session key regeneration limits the chances of a session key becoming compromise
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:34700" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:348" version="5">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:348" version="6">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040210 - RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
- <description>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</description>
|
||
|
+ <description>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+/etc/sysctl.d/*.conf
|
||
|
+/run/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
+/lib/sysctl.d/*.conf
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR">
|
||
|
<extend_definition comment="ip6.disable=1 kernel boot option and net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" definition_ref="oval:mil.disa.stig.rhel8:def:98" />
|
||
|
@@ -12838,7 +13032,7 @@ Session key regeneration limits the chances of a session key becoming compromise
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:349" version="3">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:349" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12854,16 +13048,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv4.conf.all.send_redirects setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:34900" />
|
||
|
- <criterion comment="net.ipv4.conf.all.send_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:34901" />
|
||
|
+ <criterion comment="net.ipv4.conf.all.send_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:34901" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:350" version="3">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:350" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12879,16 +13071,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv4.icmp_echo_ignore_broadcasts setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:35000" />
|
||
|
- <criterion comment="net.ipv4.icmp_echo_ignore_broadcasts setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35001" />
|
||
|
+ <criterion comment="net.ipv4.icmp_echo_ignore_broadcasts setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:35001" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:351" version="6">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:351" version="7">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040240 - RHEL 8 must not forward source-routed packets.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12902,45 +13092,41 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR">
|
||
|
<extend_definition comment="ip6.disable=1 kernel boot option and net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" definition_ref="oval:mil.disa.stig.rhel8:def:98" />
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv6.conf.all.accept_source_route setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35102" />
|
||
|
- <criterion comment="net.ipv6.conf.all.accept_source_route setting in /etc/sysct.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35103" />
|
||
|
+ <criterion comment="net.ipv6.conf.all.accept_source_route setting in sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35103" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:352" version="5">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:352" version="6">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040250 - RHEL 8 must not forward source-routed packets by default.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
<description>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
-
|
||
|
+
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
/run/sysctl.d/*.conf
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR">
|
||
|
<extend_definition comment="ip6.disable=1 kernel boot option and net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" definition_ref="oval:mil.disa.stig.rhel8:def:98" />
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv6.conf.default.accept_source_route setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35202" />
|
||
|
- <criterion comment="net.ipv6.conf.default.accept_source_route setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35203" />
|
||
|
+ <criterion comment="net.ipv6.conf.default.accept_source_route setting in sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35203" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:353" version="4">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:353" version="5">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040260 - RHEL 8 must not be performing packet forwarding unless the system is a router.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12954,19 +13140,17 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR">
|
||
|
<extend_definition comment="ip6.disable=1 kernel boot option and net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" definition_ref="oval:mil.disa.stig.rhel8:def:98" />
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv6.conf.all.forwarding setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35302" />
|
||
|
- <criterion comment="net.ipv6.conf.all.forwarding setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35303" />
|
||
|
+ <criterion comment="net.ipv6.conf.all.forwarding setting in the sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35303" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:354" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:354" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12982,19 +13166,17 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="If IPv6 is enabled, THEN verify the net.ipv6.conf.all.accept_ra sysctl setting">
|
||
|
<extend_definition definition_ref="oval:mil.disa.stig.rhel8:def:98" comment="IPv6 is disabled" />
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv6.conf.all.accept_ra setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35400" />
|
||
|
- <criterion comment="net.ipv6.conf.all.accept_ra setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35401" />
|
||
|
+ <criterion comment="net.ipv6.conf.all.accept_ra setting in the sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35401" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:355" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:355" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13010,19 +13192,17 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR" comment="If IPv6 is enabled, THEN verify the net.ipv6.conf.default.accept_ra sysctl setting">
|
||
|
<extend_definition definition_ref="oval:mil.disa.stig.rhel8:def:98" comment="IPv6 is disabled" />
|
||
|
<criteria operator="AND">
|
||
|
<criterion comment="net.ipv6.conf.default.accept_ra setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35500" />
|
||
|
- <criterion comment="net.ipv6.conf.default.accept_ra setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35501" />
|
||
|
+ <criterion comment="net.ipv6.conf.default.accept_ra setting in sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35501" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:356" version="3">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:356" version="5">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13038,18 +13218,16 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="AND">
|
||
|
- <criterion comment="net.ipv4.conf.default.send_redirects setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35600" />
|
||
|
- <criterion comment="net.ipv4.conf.default.send_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35601" />
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35600" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35601" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:357" version="5">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:357" version="6">
|
||
|
<metadata>
|
||
|
- <title>RHEL-08-040280 - RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages.</title>
|
||
|
+ <title>RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
@@ -13061,19 +13239,17 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
<criteria operator="OR">
|
||
|
- <extend_definition comment="ip6.disable=1 kernel boot option and net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" definition_ref="oval:mil.disa.stig.rhel8:def:98" />
|
||
|
+ <extend_definition definition_ref="oval:mil.disa.stig.rhel8:def:98" comment="IPv6 is disabled" />
|
||
|
<criteria operator="AND">
|
||
|
- <criterion comment="net.ipv6.conf.all.accept_redirects setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35702" />
|
||
|
- <criterion comment="net.ipv6.conf.all.accept_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35703" />
|
||
|
+ <criterion comment="net.ipv6.conf.all.accept_redirects setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:35700" />
|
||
|
+ <criterion comment="net.ipv6.conf.all.accept_redirects setting in sysctl configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:35701" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:358" version="4">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:358" version="5">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13087,16 +13263,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria>
|
||
|
- <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35800" />
|
||
|
- <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35801" />
|
||
|
+ <criteria operator="AND">
|
||
|
+ <criterion comment="kernel.unprivileged_bpf_disabled setting in kernel is '1'." test_ref="oval:mil.disa.stig.rhel8:tst:35800" />
|
||
|
+ <criterion comment="kernel.unprivileged_bpf_disabled setting is set to '1', and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:35801" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:359" version="8">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:359" version="9">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13110,38 +13284,35 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
/usr/local/lib/sysctl.d/*.conf
|
||
|
/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria>
|
||
|
- <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35900" />
|
||
|
- <criterion test_ref="oval:mil.disa.stig.rhel8:tst:35901" />
|
||
|
+ <criteria operator="AND">
|
||
|
+ <criterion comment="kernel.yama.ptrace_scope setting in kernel is set to 1" test_ref="oval:mil.disa.stig.rhel8:tst:35900" />
|
||
|
+ <criterion comment="kernel.yama.ptrace_scope in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" test_ref="oval:mil.disa.stig.rhel8:tst:35901" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:360" version="4">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:360" version="6">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
- <description>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+ <description>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
/run/sysctl.d/*.conf
|
||
|
-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="AND">
|
||
|
- <criterion comment="kernel.kptr_restrict setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:36000" />
|
||
|
- <criterion comment="kernel.kptr_restrict setting in /etc/sysctl.d/99-*.conf configuration files is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:36001" />
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36000" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36001" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:361" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:361" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040284 - RHEL 8 must disable the use of user namespaces.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13149,21 +13320,20 @@ Based on the information above, if a configuration file begins with "99-" is cre
|
||
|
</affected>
|
||
|
<description>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
/run/sysctl.d/*.conf
|
||
|
-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="AND">
|
||
|
- <criterion comment="user.max_user_namespaces setting in kernel is 0" test_ref="oval:mil.disa.stig.rhel8:tst:36100" />
|
||
|
- <criterion comment="user.max_user_namespaces setting in /etc/sysctl.d/99-*.conf configuration files is set to 0, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:36101" />
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36100" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36101" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:362" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:362" version="4">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13171,18 +13341,17 @@ Based on the information above, if a configuration file begins with "99-" is cre
|
||
|
</affected>
|
||
|
<description>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
/run/sysctl.d/*.conf
|
||
|
-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
/lib/sysctl.d/*.conf
|
||
|
-/etc/sysctl.conf
|
||
|
-
|
||
|
-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system.</description>
|
||
|
+/etc/sysctl.conf</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="AND">
|
||
|
- <criterion comment="net.ipv4.conf.all.rp_filter setting in kernel is 1" test_ref="oval:mil.disa.stig.rhel8:tst:36200" />
|
||
|
- <criterion comment="net.ipv4.conf.all.rp_filter setting in /etc/sysctl.d/99-*.conf is set to 1, and nothing else" test_ref="oval:mil.disa.stig.rhel8:tst:36201" />
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36200" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:36201" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
<definition id="oval:mil.disa.stig.rhel8:def:363" class="compliance" version="1">
|
||
|
@@ -13395,38 +13564,101 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<criterion comment="Defaults timestamp_timeout is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41601" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- </definitions>
|
||
|
- <tests>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.disable_ipv6 setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:9800" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:9800" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:9800" />
|
||
|
- </sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:9801" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:9803" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:9801" />
|
||
|
- </textfilecontent54_test>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:463" version="1">
|
||
|
+ <metadata>
|
||
|
+ <title>RHEL-08-020331 - RHEL 8 must not allow blank or null passwords in the system-auth file.</title>
|
||
|
+ <affected family="windows">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:46300" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:464" version="1">
|
||
|
+ <metadata>
|
||
|
+ <title>RHEL-08-020332 - RHEL 8 must not allow blank or null passwords in the password-auth file.</title>
|
||
|
+ <affected family="windows">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:46400" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:477" version="3">
|
||
|
+ <metadata>
|
||
|
+ <title>RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title>
|
||
|
+ <affected family="unix">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+
|
||
|
+Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
|
||
|
+
|
||
|
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
+/etc/sysctl.d/*.conf
|
||
|
+/run/sysctl.d/*.conf
|
||
|
+/usr/local/lib/sysctl.d/*.conf
|
||
|
+/usr/lib/sysctl.d/*.conf
|
||
|
+/lib/sysctl.d/*.conf
|
||
|
+/etc/sysctl.conf</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:47700" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:47701" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:482" version="1">
|
||
|
+ <metadata>
|
||
|
+ <title>RHEL-08-010121 - The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title>
|
||
|
+ <affected family="windows">
|
||
|
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||
|
+ </affected>
|
||
|
+ <description>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</description>
|
||
|
+ </metadata>
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:48200" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+ </definitions>
|
||
|
+ <tests>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:1000" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:1000" />
|
||
|
+ </textfilecontent54_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:1001" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:10001" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:1000" />
|
||
|
+ </textfilecontent54_test>
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.disable_ipv6 setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:9800" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:9800" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:9800" />
|
||
|
+ </sysctl_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.disable_ipv6 setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:9801" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:9803" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:9801" />
|
||
|
+ </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="ipv6.disable=1 in the kernel cmdline" id="oval:mil.disa.stig.rhel8:tst:9802" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:9804" />
|
||
|
</textfilecontent54_test>
|
||
|
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="all_exist" id="oval:mil.disa.stig.rhel8:tst:9900" comment="The openssh package is installed." version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:9900" />
|
||
|
</rpminfo_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 minor version is supported." id="oval:mil.disa.stig.rhel8:tst:10000" version="5" state_operator="OR">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 minor version is supported." id="oval:mil.disa.stig.rhel8:tst:10000" version="6" state_operator="OR">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:10001" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10002" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:10003" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10004" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10005" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10006" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10007" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10008" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 minor version is supported." id="oval:mil.disa.stig.rhel8:tst:10001" version="3" state_operator="OR">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 minor version is supported." id="oval:mil.disa.stig.rhel8:tst:10001" version="4" state_operator="OR">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10001" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:10001" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10002" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:10003" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10004" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10005" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:10006" />
|
||
|
@@ -13589,40 +13821,40 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13200" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13200" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13201" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:13201" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13201" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:13203" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13201" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="fs.protected_symlinks setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:13300" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13300" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13300" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13301" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:13301" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:13301" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:13303" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13301" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="fs.protected_hardlinks setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:13400" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13400" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13400" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="fs.protected_hardlinks setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13401" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:13401" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="fs.protected_hardlinks setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:13401" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:13403" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13401" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="kernel.dmesg_restrict setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:13500" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13500" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13500" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.dmesg_restrict setting in sysctl configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13501" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:13501" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.dmesg_restrict setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:13501" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:13503" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13501" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="kernel.perf_event_paranoid setting in kernel is set to 2" id="oval:mil.disa.stig.rhel8:tst:13600" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13600" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13600" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.perf_event_paranoid setting in /etc/sysctl.d/99-*.conf is set to 2, and nothing else" id="oval:mil.disa.stig.rhel8:tst:13601" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:13601" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.perf_event_paranoid setting in /etc/sysctl.d/99-*.conf is set to 2, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:13601" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:13603" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:13601" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" comment="'NOPASSWD' does not exist in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:13700" version="1">
|
||
|
@@ -13640,6 +13872,14 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="all" check_existence="all_exist" comment="package openssl-pkcs11 is installed" id="oval:mil.disa.stig.rhel8:tst:13901" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:13901" />
|
||
|
</rpminfo_test>
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.randomize_va_space is set to 2 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:14400" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:14400" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:14400" />
|
||
|
+ </sysctl_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.randomize_va_space is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:14401" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:14403" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:14401" />
|
||
|
+ </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/dnf/dnf.conf: clean_requirements_on_remove is set to True, 1 or yes" check="all" id="oval:mil.disa.stig.rhel8:tst:14500" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:14500" />
|
||
|
</textfilecontent54_test>
|
||
|
@@ -13756,15 +13996,17 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:16800" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:16800" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.core_pattern setting in /etc/sysctl.d/99-sysctl.conf is set to '|/bin/false'., and nothing else" id="oval:mil.disa.stig.rhel8:tst:16801" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:16801" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.core_pattern setting is set to '|/bin/false'., and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:16801" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:16803" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:16801" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/security/limits.conf contains a limit '* hard core 0'" check="all" id="oval:mil.disa.stig.rhel8:tst:16900" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:16900" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="For the global domain, core is set to 0." check="all" id="oval:mil.disa.stig.rhel8:tst:16900" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:16902" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:16900" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="a '.conf' file defined in /etc/security/limits.d/ contains a limit '* hard core 0'" check="all" id="oval:mil.disa.stig.rhel8:tst:16901" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:16901" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="If core is set for any specific domains, it is set to 0." check="all" check_existence="any_exist" id="oval:mil.disa.stig.rhel8:tst:16901" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:16905" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:16900" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="storing core dumps is disabled" check="all" id="oval:mil.disa.stig.rhel8:tst:17000" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:17000" />
|
||
|
@@ -13827,10 +14069,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:state state_ref="oval:mil.disa.stig.rhel8:ste:18200" />
|
||
|
<ind:state state_ref="oval:mil.disa.stig.rhel8:ste:18202" />
|
||
|
</ind:textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18203" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:18201" />
|
||
|
- </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18306" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:18301" />
|
||
|
@@ -13855,10 +14093,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:object object_ref="oval:mil.disa.stig.rhel8:obj:18403" />
|
||
|
<ind:state state_ref="oval:mil.disa.stig.rhel8:ste:18400" />
|
||
|
</ind:textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18404" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:18401" />
|
||
|
- </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18506" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:18501" />
|
||
|
@@ -13873,10 +14107,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:textfilecontent54_test xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="all_exist" comment="check silent is set in /etc/pam.d/password-auth (preauth)" id="oval:mil.disa.stig.rhel8:tst:18601" version="1">
|
||
|
<ind:object object_ref="oval:mil.disa.stig.rhel8:obj:18601" />
|
||
|
</ind:textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18602" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:18601" />
|
||
|
- </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18706" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:18701" />
|
||
|
@@ -13890,10 +14120,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:textfilecontent54_test xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="all_exist" comment="check audit is set in /etc/pam.d/password-auth (preauth)" id="oval:mil.disa.stig.rhel8:tst:18801" version="1">
|
||
|
<ind:object object_ref="oval:mil.disa.stig.rhel8:obj:18801" />
|
||
|
</ind:textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18802" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:18801" />
|
||
|
- </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:18906" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:18901" />
|
||
|
@@ -13907,10 +14133,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:textfilecontent54_test xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="all_exist" comment="check even_deny_root is set in /etc/pam.d/password-auth (preauth)" id="oval:mil.disa.stig.rhel8:tst:19001" version="2">
|
||
|
<ind:object object_ref="oval:mil.disa.stig.rhel8:obj:19001" />
|
||
|
</ind:textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:19002" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:19001" />
|
||
|
- </textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="The RHEL 8 version is 8.2 or greater." id="oval:mil.disa.stig.rhel8:tst:19106" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:10000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:19101" />
|
||
|
@@ -14713,11 +14935,11 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:34700" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:34700" />
|
||
|
</password_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_redirects setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:34802" version="1">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_redirects setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:34802" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:34804" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:34800" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_redirects setting in sysctl configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:34803" version="1">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_redirects setting in sysctl configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:34803" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:34807" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:34801" />
|
||
|
</textfilecontent54_test>
|
||
|
@@ -14725,113 +14947,113 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:34900" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:34900" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.conf.all.send_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:34901" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:34901" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.conf.all.send_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:34901" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:34903" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:34901" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv4.icmp_echo_ignore_broadcasts setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:35000" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35000" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.icmp_echo_ignore_broadcasts setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35001" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35001" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.icmp_echo_ignore_broadcasts setting in /etc/sysctl.d/99-sysctl.conf is set to 1, and nothing else, and there are no conflicting settings in other files" id="oval:mil.disa.stig.rhel8:tst:35001" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35003" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35001" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_source_route setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35102" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35104" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35100" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_source_route setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35103" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35105" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_source_route setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35103" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35103" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35101" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_source_route setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35202" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35204" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35200" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_source_route setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35203" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35205" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_source_route setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35203" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35203" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35201" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.forwarding setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35302" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35304" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35300" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.forwarding setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35303" version="3">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35305" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.forwarding setting in the sysctl configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35303" version="4">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35303" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35301" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_ra setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35400" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35400" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35400" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_ra setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35401" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35401" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_ra setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35401" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35403" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35401" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_ra setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35500" version="1">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_ra setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35500" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35500" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35500" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_ra setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35501" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35501" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.default.accept_ra setting in the sysctl configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35501" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35503" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35501" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.send_redirects setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35600" version="1">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.default.send_redirects is set to 0 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:35600" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35600" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:35600" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36100" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.conf.default.send_redirects setting in /etc/sysctl.d/99-sysctl.conf configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35601" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35601" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:35601" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.default.send_redirects is set to 0 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:35601" version="4">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35603" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36101" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_redirects setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35702" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35704" />
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_redirects setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:35700" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35700" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35700" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_redirects setting in /etc/sysctl.d/99-sysctl.conf is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35703" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35705" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv6.conf.all.accept_redirects setting in sysctl configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:35701" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35703" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35701" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="kernel.unprivileged_bpf_disabled setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:35800" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35800" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35800" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.unprivileged_bpf_disabled is set to 1 in /etc/sysctl.d/99-*.conf" check="all" id="oval:mil.disa.stig.rhel8:tst:35801" version="4">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35801" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.unprivileged_bpf_disabled is set to 1, and nothing else, and there are no conflicting settings in other files" check="all" id="oval:mil.disa.stig.rhel8:tst:35801" version="5">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35803" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35801" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="kernel.yama.ptrace_scope setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:35900" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35900" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35900" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.yama.ptrace_scope is set to 1 in /etc/sysctl.d/99-*.conf" check="all" id="oval:mil.disa.stig.rhel8:tst:35901" version="4">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:35901" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.yama.ptrace_scope in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files" check="all" id="oval:mil.disa.stig.rhel8:tst:35901" version="5">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:35903" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35901" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="kernel.kptr_restrict setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:36000" version="2">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.kptr_restrict is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36000" version="4">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36000" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="kernel.kptr_restrict setting in /etc/sysctl.d/99-.*conf configuration files is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:36001" version="5">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:36001" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.kptr_restrict is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36001" version="7">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:36003" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36001" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="user.max_user_namespaces setting in kernel is set to 0" id="oval:mil.disa.stig.rhel8:tst:36100" version="1">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="user.max_user_namespaces is set to 0 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36100" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36100" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36100" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="user.max_user_namespaces setting in /etc/sysctl.d/99-*.conf configuration files is set to 0, and nothing else" id="oval:mil.disa.stig.rhel8:tst:36101" version="3">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:36101" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="user.max_user_namespaces is set to 0 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36101" version="4">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:36103" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36101" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.rp_filter setting in kernel is set to 1" id="oval:mil.disa.stig.rhel8:tst:36200" version="1">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.all.rp_filter is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36200" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36200" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:36200" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36000" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="net.ipv4.conf.all.rp_filter setting in /etc/sysctl.d/99-*.conf is set to 1, and nothing else" id="oval:mil.disa.stig.rhel8:tst:36201" version="2">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:36201" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:36201" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.all.rp_filter is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36201" version="3">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:36203" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36001" />
|
||
|
</textfilecontent54_test>
|
||
|
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="The postfix package is installed" check="all" id="oval:mil.disa.stig.rhel8:tst:36300" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36300" />
|
||
|
@@ -14900,17 +15122,34 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41601" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:41600" />
|
||
|
</textfilecontent54_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="No instances of nullok in /etc/pam.d/system-auth." check="all" check_existence="none_exist" id="oval:mil.disa.stig.rhel8:tst:46300" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:46300" />
|
||
|
+ </textfilecontent54_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="No instances of nullok in /etc/pam.d/password-auth." check="all" check_existence="none_exist" id="oval:mil.disa.stig.rhel8:tst:46400" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:46400" />
|
||
|
+ </textfilecontent54_test>
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.core.bpf_jit_harden is set to 2 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:47700" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:47700" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:14400" />
|
||
|
+ </sysctl_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.core.bpf_jit_harden is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:47701" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:47703" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:14401" />
|
||
|
+ </textfilecontent54_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="There are no accounts in /etc/shadow that have blank password fields." check="all" check_existence="none_exist" id="oval:mil.disa.stig.rhel8:tst:48200" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:48200" />
|
||
|
+ </textfilecontent54_test>
|
||
|
</tests>
|
||
|
<objects>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:9800" version="1">
|
||
|
<name>net.ipv6.conf.all.disable_ipv6</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:9801" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:9801" version="3">
|
||
|
<filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:9802" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:9802" version="3">
|
||
|
<path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
<filename operation="pattern match">\.conf$</filename>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$</pattern>
|
||
|
@@ -15089,48 +15328,104 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:13200" version="1">
|
||
|
<name>kernel.kexec_load_disabled</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13201" version="6">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13201" version="7">
|
||
|
<path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13202" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:13200" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13203" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13201</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13202</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:13300" version="1">
|
||
|
<name>fs.protected_symlinks</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13301" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13301" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13302" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13303" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13301</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13302</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:13400" version="1">
|
||
|
<name>fs.protected_hardlinks</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13401" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13401" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13402" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13403" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13401</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13402</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:13500" version="1">
|
||
|
<name>kernel.dmesg_restrict</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="search /etc/sysctl.d/ configuration files for kernel.dmesg_restrict" id="oval:mil.disa.stig.rhel8:obj:13501" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="search /etc/sysctl.d/ configuration files for kernel.dmesg_restrict" id="oval:mil.disa.stig.rhel8:obj:13501" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13502" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13503" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13501</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13502</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:13600" version="1">
|
||
|
<name>kernel.perf_event_paranoid</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-*.conf" id="oval:mil.disa.stig.rhel8:obj:13601" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13601" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:13602" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:13603" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13601</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:13602</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:13700" version="1">
|
||
|
<filepath>/etc/sudoers</filepath>
|
||
|
<pattern operation="pattern match">^(?!#).*\s+NOPASSWD.*$</pattern>
|
||
|
@@ -15156,6 +15451,26 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:mil.disa.stig.rhel8:obj:13901" version="1">
|
||
|
<name>openssl-pkcs11</name>
|
||
|
</rpminfo_object>
|
||
|
+ <sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:14400" version="1">
|
||
|
+ <name>kernel.randomize_va_space</name>
|
||
|
+ </sysctl_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:14401" version="2">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36000" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:14402" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:14403" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:14401</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:14402</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:14500" version="2">
|
||
|
<filepath>/etc/dnf/dnf.conf</filepath>
|
||
|
<pattern operation="pattern match">^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$</pattern>
|
||
|
@@ -15295,23 +15610,57 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:16800" version="1">
|
||
|
<name>kernel.core_pattern</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:16801" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:16801" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+)</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16900" version="2">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:16802" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+)</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:16803" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16801</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16802</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16900" version="3">
|
||
|
+ <filepath>/etc/security/limits.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16901" version="3">
|
||
|
+ <path>/etc/security/limits.d</path>
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16902" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16900</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16901</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16903" version="1">
|
||
|
<filepath>/etc/security/limits.conf</filepath>
|
||
|
- <pattern operation="pattern match">^[ \t]*\*[ \t]+hard[ \t]+core[ \t]+0[ \t]*(?:#.*)?$</pattern>
|
||
|
+ <pattern operation="pattern match">^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16901" version="2">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16904" version="1">
|
||
|
<path>/etc/security/limits.d</path>
|
||
|
<filename operation="pattern match">\.conf$</filename>
|
||
|
- <pattern operation="pattern match">^[ \t]*\*[ \t]+hard[ \t]+core[ \t]+0[ \t]*(?:#.*)?$</pattern>
|
||
|
+ <pattern operation="pattern match">^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:16905" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16903</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:16904</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:17000" version="1">
|
||
|
<filepath>/etc/systemd/coredump.conf</filepath>
|
||
|
<pattern operation="pattern match">^\s*Storage\s*=\s*(\w*)\s*(?:#.*)?$</pattern>
|
||
|
@@ -15605,9 +15954,9 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<pattern datatype="string" operation="pattern match">^root:[^:]*:[^:]*:[^:]*::</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20801" version="5">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20801" version="6">
|
||
|
<filepath>/etc/pam.d/password-auth</filepath>
|
||
|
- <pattern operation="pattern match">^\s*password\s+required\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b</pattern>
|
||
|
+ <pattern operation="pattern match">^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20900" version="1">
|
||
|
@@ -16511,7 +16860,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:34804" version="1">
|
||
|
<name>net.ipv6.conf.default.accept_redirects</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:34805" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:34805" version="4">
|
||
|
<filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
@@ -16531,129 +16880,283 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:34900" version="1">
|
||
|
<name>net.ipv4.conf.all.send_redirects</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:34901" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:34901" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:34902" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">^.*\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:34903" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:34901</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:34902</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35000" version="1">
|
||
|
<name>net.ipv4.icmp_echo_ignore_broadcasts</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35001" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35001" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35002" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">^.*\.conf$</filename>
|
||
|
<pattern operation="pattern match">(?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35003" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35001</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35002</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35101" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35103" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35101</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35105</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35104" version="1">
|
||
|
<name>net.ipv6.conf.all.accept_source_route</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35105" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35105" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35202" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35203" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35202</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35205</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35204" version="1">
|
||
|
<name>net.ipv6.conf.default.accept_source_route</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d" id="oval:mil.disa.stig.rhel8:obj:35205" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.default.accept_source_route\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="Check the sysctl configuration files for net.ipv6.conf.default.accept_source_route" id="oval:mil.disa.stig.rhel8:obj:35205" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35301" version="2">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35303" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35301</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35305</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35304" version="2">
|
||
|
<name>net.ipv6.conf.all.forwarding</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35305" version="3">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.all.forwarding\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35305" version="4">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35400" version="1">
|
||
|
<name>net.ipv6.conf.all.accept_ra</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35401" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35401" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35402" version="2">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35403" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35401</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35402</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35500" version="1">
|
||
|
<name>net.ipv6.conf.default.accept_ra</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35501" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35501" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35502" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35503" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35501</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35502</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35600" version="1">
|
||
|
<name>net.ipv4.conf.default.send_redirects</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35601" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv4.conf.default.send_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35601" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36000" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35602" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35704" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35603" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35601</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35602</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35700" version="2">
|
||
|
<name>net.ipv6.conf.all.accept_redirects</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.d/99-sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35705" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf</filename>
|
||
|
- <pattern operation="pattern match">(?:^|.*\n)\s*net.ipv6.conf.all.accept_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="Search other sysctl configuration files for net.ipv6.conf.all.accept_redirects" id="oval:mil.disa.stig.rhel8:obj:35701" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:35702" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">(?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35703" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35701</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35702</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35800" version="1">
|
||
|
<name>kernel.unprivileged_bpf_disabled</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35801" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35801" version="3">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35802" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35803" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35801</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35802</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:35900" version="1">
|
||
|
<name>kernel.yama.ptrace_scope</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35901" version="14">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:35901" version="15">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
<pattern operation="pattern match">^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="other sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35902" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:14400" var_check="at least one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">(?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:35903" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35901</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:35902</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:36000" version="1">
|
||
|
<name>kernel.kptr_restrict</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="Look in /etc/sysctl.d/99-.*conf for kernel.kptr_restrict" id="oval:mil.disa.stig.rhel8:obj:36001" version="5">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|.*\n)\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36001" version="6">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36000" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36002" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36003" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36001</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36002</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:36100" version="1">
|
||
|
<name>user.max_user_namespaces</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/sysctl.conf" id="oval:mil.disa.stig.rhel8:obj:36101" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|\.*\n)\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36101" version="4">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36100" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36102" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36103" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36101</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36102</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:36200" version="1">
|
||
|
<name>net.ipv4.conf.all.rp_filter</name>
|
||
|
</sysctl_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="Looking for net.ipv4.conf.all.rp_filter in /etc/sysctl.d/99-*.conf " id="oval:mil.disa.stig.rhel8:obj:36201" version="2">
|
||
|
- <path>/etc/sysctl.d</path>
|
||
|
- <filename operation="pattern match">^99-.*\.conf$</filename>
|
||
|
- <pattern operation="pattern match">(?:^|\.*\n)\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36201" version="3">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36000" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36202" version="2">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:36203" version="2">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36201</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:36202</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:mil.disa.stig.rhel8:obj:36300" version="1">
|
||
|
<name>postfix</name>
|
||
|
</rpminfo_object>
|
||
|
@@ -16737,34 +17240,66 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<pattern operation="pattern match">^\s*Defaults\s+\!runaspw\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41600" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41600" version="2">
|
||
|
<filepath>/etc/sudoers</filepath>
|
||
|
- <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\=(\d+)\s*$</pattern>
|
||
|
+ <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41601" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41601" version="2">
|
||
|
<path>/etc/sudoers.d</path>
|
||
|
<filename operation="pattern match">^.*$</filename>
|
||
|
- <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\=(\d+)\s*$</pattern>
|
||
|
+ <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:46300" version="1">
|
||
|
+ <filepath>/etc/pam.d/system-auth</filepath>
|
||
|
+ <pattern operation="pattern match">\bnullok\b</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:46400" version="1">
|
||
|
+ <filepath>/etc/pam.d/password-auth</filepath>
|
||
|
+ <pattern operation="pattern match">\bnullok\b</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <sysctl_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:obj:47700" version="1">
|
||
|
+ <name>net.core.bpf_jit_harden</name>
|
||
|
+ </sysctl_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:47701" version="1">
|
||
|
+ <path var_ref="oval:mil.disa.stig.rhel8:var:36000" var_check="only one" />
|
||
|
+ <filename operation="pattern match">\.conf$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:47702" version="1">
|
||
|
+ <filepath>/etc/sysctl.conf</filepath>
|
||
|
+ <pattern operation="pattern match">^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:47703" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:47701</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:47702</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:48200" version="1">
|
||
|
+ <filepath>/etc/shadow</filepath>
|
||
|
+ <pattern operation="pattern match">^[^:]+::[^:]*:[^:]*:</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
</objects>
|
||
|
<states>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:1000" version="1">
|
||
|
+ <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
+ </textfilecontent54_state>
|
||
|
<sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:9800" version="1">
|
||
|
<value datatype="int" operation="equals">1</value>
|
||
|
</sysctl_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:9801" version="1">
|
||
|
<subexpression datatype="int" operation="equals">1</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is equal to 2." id="oval:mil.disa.stig.rhel8:ste:10001" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is equal to 4." id="oval:mil.disa.stig.rhel8:ste:10002" version="1">
|
||
|
<subexpression datatype="int" operation="equals">4</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is equal to 5." id="oval:mil.disa.stig.rhel8:ste:10003" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">5</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is equal to 6." id="oval:mil.disa.stig.rhel8:ste:10004" version="1">
|
||
|
<subexpression datatype="int" operation="equals">6</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
@@ -16902,6 +17437,12 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:13601" version="1">
|
||
|
<subexpression datatype="int" operation="equals">2</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
+ <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:14400" version="1">
|
||
|
+ <value datatype="int" operation="equals">2</value>
|
||
|
+ </sysctl_state>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:14401" version="1">
|
||
|
+ <subexpression datatype="int" operation="equals">2</subexpression>
|
||
|
+ </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:14600" version="1">
|
||
|
<subexpression>targeted</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
@@ -16951,6 +17492,9 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:16801" version="1">
|
||
|
<subexpression datatype="string" operation="pattern match">^\|\s*/bin/false\s*$</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:16900" version="1">
|
||
|
+ <subexpression datatype="int">0</subexpression>
|
||
|
+ </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:17100" version="1">
|
||
|
<subexpression datatype="string" operation="equals">0</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
@@ -16981,9 +17525,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="fail_interval is 900 or less" id="oval:mil.disa.stig.rhel8:ste:18200" version="1">
|
||
|
<ind:subexpression datatype="int" operation="less than or equal">900</ind:subexpression>
|
||
|
</ind:textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:18201" version="1">
|
||
|
- <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="fail_interval is greater than 0" id="oval:mil.disa.stig.rhel8:ste:18202" version="1">
|
||
|
<ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
|
||
|
</ind:textfilecontent54_state>
|
||
|
@@ -16996,30 +17537,18 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="unlock_time is 0" id="oval:mil.disa.stig.rhel8:ste:18400" version="1">
|
||
|
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
|
||
|
</ind:textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:18401" version="1">
|
||
|
- <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="unlock_time is set to 0" id="oval:mil.disa.stig.rhel8:ste:18500" version="1">
|
||
|
<subexpression datatype="int" operation="equals">0</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is less than 2." id="oval:mil.disa.stig.rhel8:ste:18501" version="1">
|
||
|
<subexpression datatype="int" operation="less than">2</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:18601" version="1">
|
||
|
- <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is less than 2." id="oval:mil.disa.stig.rhel8:ste:18701" version="1">
|
||
|
<subexpression datatype="int" operation="less than">2</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:18801" version="1">
|
||
|
- <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is less than 2." id="oval:mil.disa.stig.rhel8:ste:18901" version="1">
|
||
|
<subexpression datatype="int" operation="less than">2</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is greater than or equal to 2." id="oval:mil.disa.stig.rhel8:ste:19001" version="1">
|
||
|
- <subexpression datatype="int" operation="greater than or equal">2</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="The minor version is less than 2." id="oval:mil.disa.stig.rhel8:ste:19101" version="1">
|
||
|
<subexpression datatype="int" operation="less than">2</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
@@ -17238,12 +17767,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:35501" version="1">
|
||
|
<subexpression datatype="int" operation="equals">0</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:35600" version="1">
|
||
|
- <value datatype="int" operation="equals">0</value>
|
||
|
- </sysctl_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:35601" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">0</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
<sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:35700" version="1">
|
||
|
<value datatype="int" operation="equals">0</value>
|
||
|
</sysctl_state>
|
||
|
@@ -17262,23 +17785,17 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:35901" version="1">
|
||
|
<subexpression datatype="int" operation="equals">1</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36000" version="1">
|
||
|
- <value datatype="int" operation="equals">1</value>
|
||
|
+ <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36000" version="2">
|
||
|
+ <value datatype="int">1</value>
|
||
|
</sysctl_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36001" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">1</subexpression>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36001" version="2">
|
||
|
+ <subexpression datatype="int">1</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
- <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36100" version="1">
|
||
|
- <value datatype="int" operation="equals">0</value>
|
||
|
+ <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36100" version="2">
|
||
|
+ <value datatype="int">0</value>
|
||
|
</sysctl_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36101" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">0</subexpression>
|
||
|
- </textfilecontent54_state>
|
||
|
- <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36200" version="1">
|
||
|
- <value datatype="int" operation="equals">1</value>
|
||
|
- </sysctl_state>
|
||
|
- <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36201" version="1">
|
||
|
- <subexpression datatype="int" operation="equals">1</subexpression>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36101" version="2">
|
||
|
+ <subexpression datatype="int">0</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36400" version="2" comment="X11Forwarding = no">
|
||
|
<subexpression datatype="string" operation="pattern match">^(no|"no")$</subexpression>
|
||
|
@@ -17299,6 +17816,13 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<value>/usr/local/bin</value>
|
||
|
<value>/usr/local/sbin</value>
|
||
|
</constant_variable>
|
||
|
+ <constant_variable datatype="string" comment="other sysctl configuration file locations" id="oval:mil.disa.stig.rhel8:var:13200" version="1">
|
||
|
+ <value>/etc/sysctl.d</value>
|
||
|
+ <value>/run/sysctl.d</value>
|
||
|
+ <value>/lib/sysctl.d</value>
|
||
|
+ <value>/usr/lib/sysctl.d</value>
|
||
|
+ <value>/usr/local/lib/sysctl.d</value>
|
||
|
+ </constant_variable>
|
||
|
<constant_variable datatype="string" comment="other sysctl configuration file locations" id="oval:mil.disa.stig.rhel8:var:14400" version="1">
|
||
|
<value>/etc/sysctl.d</value>
|
||
|
<value>/run/sysctl.d</value>
|
||
|
@@ -17355,15 +17879,29 @@ If the value is set to an integer less than 0, the user's time stamp will not ex
|
||
|
<object_component object_ref="oval:mil.disa.stig.rhel8:obj:33602" item_field="subexpression" />
|
||
|
</split>
|
||
|
</local_variable>
|
||
|
+ <constant_variable datatype="string" comment="Directories containing sysctl configuration files." id="oval:mil.disa.stig.rhel8:var:36000" version="1">
|
||
|
+ <value>/etc/sysctl.d</value>
|
||
|
+ <value>/run/sysctl.d</value>
|
||
|
+ <value>/usr/local/lib/sysctl.d</value>
|
||
|
+ <value>/usr/lib/sysctl.d</value>
|
||
|
+ <value>/lib/sysctl.d</value>
|
||
|
+ </constant_variable>
|
||
|
+ <constant_variable datatype="string" comment="Directories containing sysctl configuration files." id="oval:mil.disa.stig.rhel8:var:36100" version="1">
|
||
|
+ <value>/etc/sysctl.d</value>
|
||
|
+ <value>/run/sysctl.d</value>
|
||
|
+ <value>/usr/local/lib/sysctl.d</value>
|
||
|
+ <value>/usr/lib/sysctl.d</value>
|
||
|
+ <value>/lib/sysctl.d</value>
|
||
|
+ </constant_variable>
|
||
|
</variables>
|
||
|
</oval_definitions>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R4_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" timestamp="2022-01-03T11:44:34">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" timestamp="2022-03-28T12:45:13">
|
||
|
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5">
|
||
|
<generator>
|
||
|
<oval:product_name>repotool</oval:product_name>
|
||
|
<oval:schema_version>5.10</oval:schema_version>
|
||
|
- <oval:timestamp>2022-01-03T11:44:33</oval:timestamp>
|
||
|
+ <oval:timestamp>2022-03-28T12:45:12</oval:timestamp>
|
||
|
</generator>
|
||
|
<definitions>
|
||
|
<definition class="inventory" id="oval:mil.disa.stig.rhel8:def:1" version="2">
|
||
|
|
||
|
From 8c7ce4c14246cdf84f8a2c4eec3e236de34aa259 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 2 May 2022 10:36:44 +0200
|
||
|
Subject: [PATCH 3/3] Update RHEL8 STIG to v1r6
|
||
|
|
||
|
---
|
||
|
products/rhel8/profiles/stig.profile | 4 ++--
|
||
|
products/rhel8/profiles/stig_gui.profile | 4 ++--
|
||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index 499cf56ed7a..d74393de8ea 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
documentation_complete: true
|
||
|
|
||
|
metadata:
|
||
|
- version: V1R5
|
||
|
+ version: V1R6
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|
||
|
@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
||
|
|
||
|
description: |-
|
||
|
This profile contains configuration checks that align to the
|
||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R5.
|
||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R6.
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
|
configuration baseline as applicable to the operating system tier of
|
||
|
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
||
|
index e612aaa1ca5..665bc1e059d 100644
|
||
|
--- a/products/rhel8/profiles/stig_gui.profile
|
||
|
+++ b/products/rhel8/profiles/stig_gui.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
documentation_complete: true
|
||
|
|
||
|
metadata:
|
||
|
- version: V1R5
|
||
|
+ version: V1R6
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|
||
|
@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
||
|
|
||
|
description: |-
|
||
|
This profile contains configuration checks that align to the
|
||
|
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5.
|
||
|
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6.
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
|
configuration baseline as applicable to the operating system tier of
|