4491 lines
747 KiB
Diff
4491 lines
747 KiB
Diff
|
From 0addbba742ef5470e911d391eb738e9da79ce7b7 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 1 Aug 2022 14:43:21 +0200
|
||
|
Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R7
|
||
|
|
||
|
---
|
||
|
... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++++++++--------
|
||
|
1 file changed, 233 insertions(+), 204 deletions(-)
|
||
|
rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%)
|
||
|
|
||
|
diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml
|
||
|
similarity index 96%
|
||
|
rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml
|
||
|
rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml
|
||
|
index 849ab06f66d..a02819d3002 100644
|
||
|
--- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml
|
||
|
+++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml
|
||
|
@@ -1,4 +1,4 @@
|
||
|
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2022-02-17">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 6 Benchmark Date: 27 Apr 2022</plain-text><plain-text id="generator">3.3.0.27375</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="
|
||
|
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2022-07-13">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 7 Benchmark Date: 27 Jul 2022</plain-text><plain-text id="generator">3.3.0.27375</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="
|
||
|
|
||
|
Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r743912_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
||
|
|
||
|
@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf
|
||
|
|
||
|
localpkg_gpgcheck =True
|
||
|
|
||
|
-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r818816_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r833290_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
|
||
|
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
|
||
|
|
||
|
@@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32910r818815_fix" /><check system="C-32935r818814_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32910r818815_fix" /><check system="C-32935r833289_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
|
||
|
|
||
|
Check the status of the kernel.kexec_load_disabled kernel parameter.
|
||
|
|
||
|
@@ -885,7 +885,7 @@ $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sy
|
||
|
|
||
|
If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r818819_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r833292_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
|
||
|
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
|
||
|
|
||
|
@@ -907,7 +907,7 @@ fs.protected_symlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32911r818818_fix" /><check system="C-32936r818817_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32911r818818_fix" /><check system="C-32936r833291_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
|
||
|
|
||
|
Check the status of the fs.protected_symlinks kernel parameter.
|
||
|
|
||
|
@@ -925,7 +925,7 @@ $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.
|
||
|
|
||
|
If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r818822_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r833294_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
|
||
|
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
|
||
|
|
||
|
@@ -947,7 +947,7 @@ fs.protected_hardlinks = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32912r818821_fix" /><check system="C-32937r818820_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32912r818821_fix" /><check system="C-32937r833293_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
|
||
|
|
||
|
Check the status of the fs.protected_hardlinks kernel parameter.
|
||
|
|
||
|
@@ -965,7 +965,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl
|
||
|
|
||
|
If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r818825_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r833296_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
|
||
|
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
|
||
|
|
||
|
@@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32913r818824_fix" /><check system="C-32938r818823_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32913r818824_fix" /><check system="C-32938r833295_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
|
||
|
|
||
|
Check the status of the kernel.dmesg_restrict kernel parameter.
|
||
|
|
||
|
@@ -1005,7 +1005,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.
|
||
|
|
||
|
If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r818828_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r833298_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
|
||
|
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
|
||
|
|
||
|
@@ -1027,7 +1027,7 @@ kernel.perf_event_paranoid = 2
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32914r818827_fix" /><check system="C-32939r818826_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32914r818827_fix" /><check system="C-32939r833297_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
|
||
|
|
||
|
Check the status of the kernel.perf_event_paranoid kernel parameter.
|
||
|
|
||
|
@@ -1045,15 +1045,25 @@ $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sy
|
||
|
|
||
|
If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r833301_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
|
||
|
When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
|
||
|
|
||
|
-Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-32915r567560_fix">Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</fixtext><fix id="F-32915r567560_fix" /><check system="C-32940r567559_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "/etc/sudoers" has no occurrences of "NOPASSWD".
|
||
|
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-32915r833300_fix">Configure the operating system to require users to supply a password for privilege escalation.
|
||
|
+
|
||
|
+Check the configuration of the "/etc/sudoers" file with the following command:
|
||
|
+$ sudo visudo
|
||
|
+
|
||
|
+Remove any occurrences of "NOPASSWD" tags in the file.
|
||
|
+
|
||
|
+Check the configuration of the /etc/sudoers.d/* files with the following command:
|
||
|
+$ sudo grep -ir nopasswd /etc/sudoers.d
|
||
|
+
|
||
|
+Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-32915r833300_fix" /><check system="C-32940r833299_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "/etc/sudoers" has no occurrences of "NOPASSWD".
|
||
|
|
||
|
Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command:
|
||
|
|
||
|
-$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
|
||
|
+$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d
|
||
|
|
||
|
%admin ALL=(ALL) NOPASSWD: ALL
|
||
|
|
||
|
@@ -1222,7 +1232,7 @@ $ sudo grep slub_debug /etc/default/grub
|
||
|
|
||
|
GRUB_CMDLINE_LINUX="slub_debug=P"
|
||
|
|
||
|
-If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r818831_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
+If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r833303_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
|
||
|
Examples of attacks are buffer overflow attacks.
|
||
|
|
||
|
@@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2
|
||
|
|
||
|
Issue the following command to make the changes take effect:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32924r818830_fix" /><check system="C-32949r818829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32924r818830_fix" /><check system="C-32949r833302_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
|
||
|
|
||
|
$ sudo sysctl kernel.randomize_va_space
|
||
|
|
||
|
@@ -1256,7 +1266,7 @@ $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sys
|
||
|
|
||
|
If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
|
||
|
|
||
|
Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file:
|
||
|
|
||
|
@@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS)
|
||
|
|
||
|
If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
|
||
|
|
||
|
-If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r818834_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r833305_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -1606,7 +1616,7 @@ kernel.core_pattern = |/bin/false
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-32955r818833_fix" /><check system="C-32980r818832_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables storing core dumps with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-32955r818833_fix" /><check system="C-32980r833304_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables storing core dumps with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.core_pattern
|
||
|
|
||
|
@@ -1622,24 +1632,26 @@ $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/
|
||
|
|
||
|
If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
-
|
||
|
-A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
|
||
|
-
|
||
|
-When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32956r619859_fix">Configure the system to disable the systemd-coredump.socket with the following command:
|
||
|
-
|
||
|
-$ sudo systemctl mask systemd-coredump.socket
|
||
|
-
|
||
|
-Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
|
||
|
-
|
||
|
-Reload the daemon for this change to take effect.
|
||
|
-
|
||
|
-$ sudo systemctl daemon-reload</fixtext><fix id="F-32956r619859_fix" /><check system="C-32981r567682_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r833308_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+
|
||
|
+A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
|
||
|
+
|
||
|
+When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32956r833307_fix">Configure the system to disable the systemd-coredump.socket with the following commands:
|
||
|
+
|
||
|
+$ sudo systemctl disable --now systemd-coredump.socket
|
||
|
+
|
||
|
+$ sudo systemctl mask systemd-coredump.socket
|
||
|
+
|
||
|
+Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
|
||
|
+
|
||
|
+Reload the daemon for this change to take effect.
|
||
|
+
|
||
|
+$ sudo systemctl daemon-reload</fixtext><fix id="F-32956r833307_fix" /><check system="C-32981r833306_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:
|
||
|
|
||
|
$ sudo systemctl status systemd-coredump.socket
|
||
|
|
||
|
systemd-coredump.socket
|
||
|
-Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
|
||
|
+Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
|
||
|
Active: inactive (dead)
|
||
|
|
||
|
If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230313"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230313r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010673</version><title>RHEL 8 must disable core dumps for all users.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -2347,40 +2359,40 @@ $ sudo grep -i lock-command /etc/tmux.conf
|
||
|
|
||
|
set -g lock-command vlock
|
||
|
|
||
|
-If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r810020_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
||
|
+If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r833388_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
||
|
|
||
|
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
||
|
|
||
|
-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
||
|
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
||
|
|
||
|
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r809283_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
|
||
|
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r833310_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
|
||
|
|
||
|
-If [ "$PS1" ]; then
|
||
|
+if [ "$PS1" ]; then
|
||
|
+parent=$(ps -o ppid= -p $$)
|
||
|
+name=$(ps -o comm= -p $parent)
|
||
|
+case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
+fi
|
||
|
+
|
||
|
+This setting will take effect at next logon.</fixtext><fix id="F-32993r833310_fix" /><check system="C-33018r833309_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:
|
||
|
+
|
||
|
+Determine if tmux is currently running:
|
||
|
+$ sudo ps all | grep tmux | grep -v grep
|
||
|
+
|
||
|
+If the command does not produce output, this is a finding.
|
||
|
+
|
||
|
+Determine the location of the tmux script:
|
||
|
+$ sudo grep -r tmux /etc/bashrc /etc/profile.d
|
||
|
+
|
||
|
+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
+
|
||
|
+Review the tmux script by using the following example:
|
||
|
+$ sudo cat /etc/profile.d/tmux.sh
|
||
|
+if [ "$PS1" ]; then
|
||
|
parent=$(ps -o ppid= -p $$)
|
||
|
name=$(ps -o comm= -p $parent)
|
||
|
case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
fi
|
||
|
|
||
|
-This setting will take effect at next logon.</fixtext><fix id="F-32993r809283_fix" /><check system="C-33018r810019_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:
|
||
|
-
|
||
|
-Determine if tmux is currently running:
|
||
|
-$ sudo ps all | grep tmux | grep -v grep
|
||
|
-
|
||
|
-If the command does not produce output, this is a finding.
|
||
|
-
|
||
|
-Determine the location of the tmux script:
|
||
|
-$ sudo grep tmux /etc/bashrc/etc/profile.d/*
|
||
|
-
|
||
|
-/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
-
|
||
|
-Review the tmux script by using the following example:
|
||
|
-$ sudo cat /etc/profile.d/tmux.sh
|
||
|
-If [ "$PS1" ]; then
|
||
|
-parent=$(ps -o ppid= -p $$)
|
||
|
-name=$(ps -o comm= -p $parent)
|
||
|
-case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
-fi
|
||
|
-
|
||
|
If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230350"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230350r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020042</version><title>RHEL 8 must prevent users from disabling session control mechanisms.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
||
|
|
||
|
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
||
|
@@ -2540,7 +2552,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality
|
||
|
|
||
|
password required pam_pwquality.so
|
||
|
|
||
|
-If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r833313_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th
|
||
|
|
||
|
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
|
||
|
|
||
|
-ucredit = -1</fixtext><fix id="F-33001r567818_fix" /><check system="C-33026r567817_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:
|
||
|
+ucredit = -1</fixtext><fix id="F-33001r567818_fix" /><check system="C-33026r833312_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ucredit" with the following command:
|
||
|
|
||
|
-$ sudo grep ucredit /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r ucredit /etc/security/pwquality.conf*
|
||
|
|
||
|
-ucredit = -1
|
||
|
+/etc/security/pwquality.conf:ucredit = -1
|
||
|
|
||
|
-If the value of "ucredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230358"><title>SRG-OS-000070-GPOS-00038</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230358r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020120</version><title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "ucredit" is a positive number or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230358"><title>SRG-OS-000070-GPOS-00038</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230358r833315_rule" weight="10.0" severity="medium"><version>RHEL-08-020120</version><title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th
|
||
|
|
||
|
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
|
||
|
|
||
|
-lcredit = -1</fixtext><fix id="F-33002r567821_fix" /><check system="C-33027r567820_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:
|
||
|
+lcredit = -1</fixtext><fix id="F-33002r567821_fix" /><check system="C-33027r833314_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "lcredit" with the following command:
|
||
|
|
||
|
-$ sudo grep lcredit /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r lcredit /etc/security/pwquality.conf*
|
||
|
|
||
|
-lcredit = -1
|
||
|
+/etc/security/pwquality.conf:lcredit = -1
|
||
|
|
||
|
-If the value of "lcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230359"><title>SRG-OS-000071-GPOS-00039</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230359r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020130</version><title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "lcredit" is a positive number or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230359"><title>SRG-OS-000071-GPOS-00039</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230359r833317_rule" weight="10.0" severity="medium"><version>RHEL-08-020130</version><title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note
|
||
|
|
||
|
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
|
||
|
|
||
|
-dcredit = -1</fixtext><fix id="F-33003r567824_fix" /><check system="C-33028r567823_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:
|
||
|
+dcredit = -1</fixtext><fix id="F-33003r567824_fix" /><check system="C-33028r833316_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "dcredit" with the following command:
|
||
|
|
||
|
-$ sudo grep dcredit /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r dcredit /etc/security/pwquality.conf*
|
||
|
|
||
|
-dcredit = -1
|
||
|
+/etc/security/pwquality.conf:dcredit = -1
|
||
|
|
||
|
-If the value of "dcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r809289_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "dcredit" is a positive number or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r833319_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
|
||
|
|
||
|
Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
|
||
|
|
||
|
-maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r809288_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
|
||
|
+maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r833318_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option with the following command:
|
||
|
|
||
|
-$ sudo grep maxclassrepeat /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf*
|
||
|
|
||
|
-maxclassrepeat = 4
|
||
|
+/etc/security/pwquality.conf:maxclassrepeat = 4
|
||
|
|
||
|
-If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r833321_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
|
||
|
|
||
|
Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
|
||
|
|
||
|
-maxrepeat = 3</fixtext><fix id="F-33005r567830_fix" /><check system="C-33030r567829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
|
||
|
+maxrepeat = 3</fixtext><fix id="F-33005r567830_fix" /><check system="C-33030r833320_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxrepeat" option with the following command:
|
||
|
|
||
|
-$ sudo grep maxrepeat /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r maxrepeat /etc/security/pwquality.conf*
|
||
|
|
||
|
-maxrepeat = 3
|
||
|
+/etc/security/pwquality.conf:maxrepeat = 3
|
||
|
|
||
|
-If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230362"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230362r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020160</version><title>RHEL 8 must require the change of at least four character classes when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230362"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230362r833323_rule" weight="10.0" severity="medium"><version>RHEL-08-020160</version><title>RHEL 8 must require the change of at least four character classes when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
|
||
|
|
||
|
Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
|
||
|
|
||
|
-minclass = 4</fixtext><fix id="F-33006r567833_fix" /><check system="C-33031r567832_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
|
||
|
+minclass = 4</fixtext><fix id="F-33006r567833_fix" /><check system="C-33031r833322_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "minclass" option with the following command:
|
||
|
+
|
||
|
+$ sudo grep -r minclass /etc/security/pwquality.conf*
|
||
|
|
||
|
-$ sudo grep minclass /etc/security/pwquality.conf
|
||
|
-minclass = 4
|
||
|
+/etc/security/pwquality.conf:minclass = 4
|
||
|
|
||
|
-If the value of "minclass" is set to less than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230363"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230363r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020170</version><title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If the value of "minclass" is set to less than "4" or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230363"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230363r833325_rule" weight="10.0" severity="medium"><version>RHEL-08-020170</version><title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
|
||
|
|
||
|
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
|
||
|
|
||
|
-difok = 8</fixtext><fix id="F-33007r567836_fix" /><check system="C-33032r567835_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
|
||
|
+difok = 8</fixtext><fix id="F-33007r567836_fix" /><check system="C-33032r833324_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "difok" option with the following command:
|
||
|
|
||
|
-$ sudo grep difok /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r difok /etc/security/pwquality.conf*
|
||
|
|
||
|
-difok = 8
|
||
|
+/etc/security/pwquality.conf:difok = 8
|
||
|
|
||
|
-If the value of "difok" is set to less than "8" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230364"><title>SRG-OS-000075-GPOS-00043</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230364r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020180</version><title>RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.</title><description><VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-33008r567839_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
|
||
|
+If the value of "difok" is set to less than "8" or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230364"><title>SRG-OS-000075-GPOS-00043</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230364r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020180</version><title>RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.</title><description><VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-33008r567839_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
|
||
|
|
||
|
$ sudo chage -m 1 [user]</fixtext><fix id="F-33008r567839_fix" /><check system="C-33033r567838_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.
|
||
|
|
||
|
@@ -2689,7 +2709,7 @@ $ sudo grep -i remember /etc/pam.d/password-auth
|
||
|
|
||
|
password required pam_pwhistory.so use_authtok remember=5 retry=3
|
||
|
|
||
|
-If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-230369"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230369r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020230</version><title>RHEL 8 passwords must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
|
||
|
+If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-230369"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230369r833327_rule" weight="10.0" severity="medium"><version>RHEL-08-020230</version><title>RHEL 8 passwords must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
|
||
|
|
||
|
@@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion><
|
||
|
|
||
|
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
|
||
|
|
||
|
-minlen = 15</fixtext><fix id="F-33013r567854_fix" /><check system="C-33038r567853_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
|
||
|
+minlen = 15</fixtext><fix id="F-33013r567854_fix" /><check system="C-33038r833326_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
|
||
|
|
||
|
-Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:
|
||
|
+Check for the value of the "minlen" option with the following command:
|
||
|
|
||
|
-$ sudo grep minlen /etc/security/pwquality.conf
|
||
|
-minlen = 15
|
||
|
+$ sudo grep -r minlen /etc/security/pwquality.conf*
|
||
|
|
||
|
-If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-230370"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230370r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020231</version><title>RHEL 8 passwords for new users must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
|
||
|
+/etc/security/pwquality.conf:minlen = 15
|
||
|
+
|
||
|
+If the command does not return a "minlen" value of 15 or greater, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230370"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230370r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020231</version><title>RHEL 8 passwords for new users must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
|
||
|
|
||
|
@@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac
|
||
|
$ sudo chage -l system_account_name
|
||
|
|
||
|
Verify each of these accounts has an expiration date set within 72 hours.
|
||
|
-If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.</check-content></check></Rule></Group><Group id="V-230375"><title>SRG-OS-000266-GPOS-00101</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230375r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020280</version><title>All RHEL 8 passwords must contain at least one special character.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
+If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.</check-content></check></Rule></Group><Group id="V-230375"><title>SRG-OS-000266-GPOS-00101</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230375r833329_rule" weight="10.0" severity="medium"><version>RHEL-08-020280</version><title>All RHEL 8 passwords must contain at least one special character.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
|
||
|
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
||
|
|
||
|
@@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note
|
||
|
|
||
|
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
|
||
|
|
||
|
-ocredit = -1</fixtext><fix id="F-33019r567872_fix" /><check system="C-33044r567871_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:
|
||
|
+ocredit = -1</fixtext><fix id="F-33019r567872_fix" /><check system="C-33044r833328_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ocredit" with the following command:
|
||
|
|
||
|
-$ sudo grep ocredit /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r ocredit /etc/security/pwquality.conf*
|
||
|
|
||
|
-ocredit = -1
|
||
|
+/etc/security/pwquality.conf:ocredit = -1
|
||
|
|
||
|
-If the value of "ocredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230376"><title>SRG-OS-000383-GPOS-00166</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230376r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020290</version><title>RHEL 8 must prohibit the use of cached authentications after one day.</title><description><VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
|
||
|
+If the value of "ocredit" is a positive number or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230376"><title>SRG-OS-000383-GPOS-00166</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230376r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020290</version><title>RHEL 8 must prohibit the use of cached authentications after one day.</title><description><VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
|
||
|
|
||
|
RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002007</ident><fixtext fixref="F-33020r567875_fix">Configure the SSSD to prohibit the use of cached authentications after one day.
|
||
|
|
||
|
@@ -2842,19 +2865,20 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf
|
||
|
|
||
|
offline_credentials_expiration = 1
|
||
|
|
||
|
-If "offline_credentials_expiration" is not set to a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-230377"><title>SRG-OS-000480-GPOS-00225</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230377r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020300</version><title>RHEL 8 must prevent the use of dictionary words for passwords.</title><description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33021r567878_fix">Configure RHEL 8 to prevent the use of dictionary words for passwords.
|
||
|
+If "offline_credentials_expiration" is not set to a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-230377"><title>SRG-OS-000480-GPOS-00225</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230377r833331_rule" weight="10.0" severity="medium"><version>RHEL-08-020300</version><title>RHEL 8 must prevent the use of dictionary words for passwords.</title><description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33021r567878_fix">Configure RHEL 8 to prevent the use of dictionary words for passwords.
|
||
|
|
||
|
Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
|
||
|
|
||
|
-dictcheck=1</fixtext><fix id="F-33021r567878_fix" /><check system="C-33046r567877_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents the use of dictionary words for passwords.
|
||
|
+dictcheck=1</fixtext><fix id="F-33021r567878_fix" /><check system="C-33046r833330_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents the use of dictionary words for passwords.
|
||
|
|
||
|
-Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:
|
||
|
+Determine if the field "dictcheck" is set with the following command:
|
||
|
|
||
|
-$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
|
||
|
+$ sudo grep -r dictcheck /etc/security/pwquality.conf*
|
||
|
|
||
|
-dictcheck=1
|
||
|
+/etc/security/pwquality.conf:dictcheck=1
|
||
|
|
||
|
-If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230378"><title>SRG-OS-000480-GPOS-00226</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230378r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020310</version><title>RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.</title><description><VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
|
||
|
+If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230378"><title>SRG-OS-000480-GPOS-00226</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230378r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020310</version><title>RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.</title><description><VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
|
||
|
|
||
|
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33022r567881_fix">Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
|
||
|
|
||
|
@@ -4281,7 +4305,7 @@ root /sbin/auditd
|
||
|
root /sbin/rsyslogd
|
||
|
root /sbin/augenrules
|
||
|
|
||
|
-If any of the audit tools are not group-owned by "root", this is a finding.</check-content></check></Rule></Group><Group id="V-230475"><title>SRG-OS-000278-GPOS-00108</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230475r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030650</version><title>RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.</title><description><VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
|
||
|
+If any of the audit tools are not group-owned by "root", this is a finding.</check-content></check></Rule></Group><Group id="V-230475"><title>SRG-OS-000278-GPOS-00108</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230475r833333_rule" weight="10.0" severity="medium"><version>RHEL-08-030650</version><title>RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.</title><description><VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
|
||
|
|
||
|
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
|
||
|
|
||
|
@@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th
|
||
|
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
-/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512</fixtext><fix id="F-33119r568172_fix" /><check system="C-33144r568171_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.
|
||
|
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512</fixtext><fix id="F-33119r568172_fix" /><check system="C-33144r833332_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.
|
||
|
|
||
|
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
|
||
|
|
||
|
Check the selection lines to ensure AIDE is configured to add/check with the following command:
|
||
|
|
||
|
-$ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf
|
||
|
+$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf
|
||
|
|
||
|
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
@@ -4312,7 +4336,7 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf
|
||
|
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
|
||
|
|
||
|
-If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r809313_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
|
||
|
+If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r809313_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
|
||
|
|
||
|
The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001849</ident><fixtext fixref="F-33120r568175_fix">Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
|
||
|
|
||
|
@@ -4951,17 +4975,25 @@ p2p-dev-wlp7s0 wifi-p2p disconnected --
|
||
|
lo loopback unmanaged --
|
||
|
virbr0-nic tun unmanaged --
|
||
|
|
||
|
-If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-230507"><title>SRG-OS-000300-GPOS-00118</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230507r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040111</version><title>RHEL 8 Bluetooth must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
|
||
|
+If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-230507"><title>SRG-OS-000300-GPOS-00118</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230507r833336_rule" weight="10.0" severity="medium"><version>RHEL-08-040111</version><title>RHEL 8 Bluetooth must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
|
||
|
|
||
|
This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
|
||
|
|
||
|
-Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001443</ident><fixtext fixref="F-33151r568268_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
|
||
|
+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001443</ident><fixtext fixref="F-33151r833335_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
|
||
|
|
||
|
Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:
|
||
|
|
||
|
install bluetooth /bin/true
|
||
|
|
||
|
-Reboot the system for the settings to take effect.</fixtext><fix id="F-33151r568268_fix" /><check system="C-33176r568267_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.
|
||
|
+Disable the ability to use the Bluetooth kernel module.
|
||
|
+
|
||
|
+$ sudo vi /etc/modprobe.d/blacklist.conf
|
||
|
+
|
||
|
+Add or update the line:
|
||
|
+
|
||
|
+blacklist bluetooth
|
||
|
+
|
||
|
+Reboot the system for the settings to take effect.</fixtext><fix id="F-33151r833335_fix" /><check system="C-33176r833334_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.
|
||
|
|
||
|
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.
|
||
|
|
||
|
@@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/*
|
||
|
|
||
|
/etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true
|
||
|
|
||
|
-If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.</check-content></check></Rule></Group><Group id="V-230508"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230508r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040120</version><title>RHEL 8 must mount /dev/shm with the nodev option.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
||
|
+If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.
|
||
|
+
|
||
|
+Verify the operating system disables the ability to use Bluetooth with the following command:
|
||
|
+
|
||
|
+$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#"
|
||
|
+
|
||
|
+blacklist bluetooth
|
||
|
+
|
||
|
+If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230508"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230508r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040120</version><title>RHEL 8 must mount /dev/shm with the nodev option.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
||
|
|
||
|
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
|
||
|
|
||
|
@@ -5361,15 +5401,17 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config
|
||
|
|
||
|
RekeyLimit 1G 1h
|
||
|
|
||
|
-If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230529r627750_rule" weight="10.0" severity="high"><version>RHEL-08-040170</version><title>The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.</title><description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33173r619888_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
|
||
|
-
|
||
|
-$ sudo systemctl mask ctrl-alt-del.target
|
||
|
-
|
||
|
-Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null
|
||
|
-
|
||
|
-Reload the daemon for this change to take effect.
|
||
|
-
|
||
|
-$ sudo systemctl daemon-reload</fixtext><fix id="F-33173r619888_fix" /><check system="C-33198r568333_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:
|
||
|
+If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230529r833338_rule" weight="10.0" severity="high"><version>RHEL-08-040170</version><title>The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.</title><description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33173r833337_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:
|
||
|
+
|
||
|
+$ sudo systemctl disable ctrl-alt-del.target
|
||
|
+
|
||
|
+$ sudo systemctl mask ctrl-alt-del.target
|
||
|
+
|
||
|
+Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null
|
||
|
+
|
||
|
+Reload the daemon for this change to take effect.
|
||
|
+
|
||
|
+$ sudo systemctl daemon-reload</fixtext><fix id="F-33173r833337_fix" /><check system="C-33198r568333_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:
|
||
|
|
||
|
$ sudo systemctl status ctrl-alt-del.target
|
||
|
|
||
|
@@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul
|
||
|
|
||
|
$ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd
|
||
|
|
||
|
-If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r818848_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r833340_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5454,7 +5496,7 @@ net.ipv6.conf.default.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33179r818847_fix" /><check system="C-33204r818846_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv6 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33179r818847_fix" /><check system="C-33204r833339_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv6 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5474,7 +5516,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r818851_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r833342_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
|
||
|
@@ -5492,9 +5534,7 @@ net.ipv4.conf.all.send_redirects=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33180r818850_fix" /><check system="C-33205r818849_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33180r818850_fix" /><check system="C-33205r833341_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not IPv4 ICMP redirect messages.
|
||
|
|
||
|
Check the value of the "all send_redirects" variables with the following command:
|
||
|
|
||
|
@@ -5512,7 +5552,7 @@ $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/
|
||
|
|
||
|
If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r818854_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r833344_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
@@ -5529,9 +5569,7 @@ net.ipv4.icmp_echo_ignore_broadcasts=1
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33181r818853_fix" /><check system="C-33206r818852_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33181r818853_fix" /><check system="C-33206r833343_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
|
||
|
|
||
|
Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command:
|
||
|
|
||
|
@@ -5549,7 +5587,7 @@ $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/lo
|
||
|
|
||
|
If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r818860_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r833346_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5565,7 +5603,7 @@ net.ipv6.conf.all.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33182r818859_fix" /><check system="C-33207r818858_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33182r818859_fix" /><check system="C-33207r833345_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5585,7 +5623,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r818866_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r838722_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5601,7 +5639,7 @@ net.ipv6.conf.default.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33183r818865_fix" /><check system="C-33208r818864_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets by default.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33183r818865_fix" /><check system="C-33208r838721_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv6 source-routed packets by default.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5621,7 +5659,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /u
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r818872_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r833349_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5637,7 +5675,7 @@ net.ipv6.conf.all.forwarding=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33184r818871_fix" /><check system="C-33209r818870_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33184r818871_fix" /><check system="C-33209r833348_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5657,7 +5695,7 @@ $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/
|
||
|
|
||
|
If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r818875_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r833351_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
An illicit router advertisement message could result in a man-in-the-middle attack.
|
||
|
|
||
|
@@ -5675,7 +5713,7 @@ net.ipv6.conf.all.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33185r818874_fix" /><check system="C-33210r818873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33185r818874_fix" /><check system="C-33210r833350_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is not applicable.
|
||
|
|
||
|
@@ -5695,7 +5733,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/s
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r818878_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r833353_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
An illicit router advertisement message could result in a man-in-the-middle attack.
|
||
|
|
||
|
@@ -5713,7 +5751,7 @@ net.ipv6.conf.default.accept_ra=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33186r818877_fix" /><check system="C-33211r818876_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33186r818877_fix" /><check system="C-33211r833352_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is not applicable.
|
||
|
|
||
|
@@ -5733,7 +5771,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/l
|
||
|
|
||
|
If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r818881_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r833355_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
|
||
|
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
|
||
|
|
||
|
@@ -5751,9 +5789,7 @@ net.ipv4.conf.default.send_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33187r818880_fix" /><check system="C-33212r818879_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33187r818880_fix" /><check system="C-33212r833354_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
|
||
|
|
||
|
Check the value of the "default send_redirects" variables with the following command:
|
||
|
|
||
|
@@ -5771,7 +5807,7 @@ $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/lo
|
||
|
|
||
|
If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r818887_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r833357_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5787,7 +5823,7 @@ net.ipv6.conf.all.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33188r818886_fix" /><check system="C-33213r818885_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv6 ICMP redirect messages.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33188r818886_fix" /><check system="C-33213r833356_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv6 ICMP redirect messages.
|
||
|
|
||
|
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
|
||
|
|
||
|
@@ -5807,7 +5843,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca
|
||
|
|
||
|
If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r818890_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r833359_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5821,7 +5857,7 @@ kernel.unprivileged_bpf_disabled = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33189r818889_fix" /><check system="C-33214r818888_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33189r818889_fix" /><check system="C-33214r833358_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.unprivileged_bpf_disabled
|
||
|
|
||
|
@@ -5837,7 +5873,7 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/
|
||
|
|
||
|
If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r818893_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r833361_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5851,7 +5887,7 @@ kernel.yama.ptrace_scope = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33190r818892_fix" /><check system="C-33215r818891_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33190r818892_fix" /><check system="C-33215r833360_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.yama.ptrace_scope
|
||
|
|
||
|
@@ -5867,7 +5903,7 @@ $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysc
|
||
|
|
||
|
If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r818896_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r833363_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33191r818895_fix" /><check system="C-33216r818894_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33191r818895_fix" /><check system="C-33216r833362_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
|
||
|
|
||
|
$ sudo sysctl kernel.kptr_restrict
|
||
|
|
||
|
kernel.kptr_restrict = 1
|
||
|
|
||
|
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.
|
||
|
+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
@@ -5895,9 +5931,9 @@ $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1
|
||
|
|
||
|
-If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding.
|
||
|
+If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r818899_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r833365_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5913,7 +5949,7 @@ user.max_user_namespaces = 0
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33192r818898_fix" /><check system="C-33217r818897_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33192r818898_fix" /><check system="C-33217r833364_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
|
||
|
|
||
|
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
|
||
|
|
||
|
@@ -5931,7 +5967,7 @@ $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysc
|
||
|
|
||
|
If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r818902_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r833367_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -5945,13 +5981,13 @@ net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-33193r818901_fix" /><check system="C-33218r818900_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-33193r818901_fix" /><check system="C-33218r833366_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
|
||
|
|
||
|
$ sudo sysctl net.ipv4.conf.all.rp_filter
|
||
|
|
||
|
net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.
|
||
|
+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
|
||
|
@@ -5959,9 +5995,9 @@ $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/s
|
||
|
|
||
|
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1
|
||
|
|
||
|
-If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding.
|
||
|
+If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
|
||
|
|
||
|
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-33194r568397_fix" /><check system="C-33219r568396_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
|
||
|
|
||
|
@@ -6155,23 +6191,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
|
||
|
|
||
|
If the either of the following entries are returned, this is a finding:
|
||
|
ALL ALL=(ALL) ALL
|
||
|
-ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r809326_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
|
||
|
+ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r833369_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
|
||
|
For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002227</ident><fixtext fixref="F-40824r646895_fix">Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
||
|
Defaults !targetpw
|
||
|
Defaults !rootpw
|
||
|
-Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r809325_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
||
|
+Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r833368_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
||
|
|
||
|
-$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
||
|
+$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'
|
||
|
|
||
|
/etc/sudoers:Defaults !targetpw
|
||
|
/etc/sudoers:Defaults !rootpw
|
||
|
/etc/sudoers:Defaults !runaspw
|
||
|
|
||
|
-If no results are returned, this is a finding.
|
||
|
-If results are returned from more than one file location, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.
|
||
|
If "Defaults !targetpw" is not defined, this is a finding.
|
||
|
If "Defaults !rootpw" is not defined, this is a finding.
|
||
|
-If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r809328_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
+If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r838720_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
|
||
|
When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command.
|
||
|
|
||
|
@@ -6181,12 +6216,12 @@ $ sudo visudo
|
||
|
|
||
|
Add or modify the following line:
|
||
|
Defaults timestamp_timeout=[value]
|
||
|
-Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r809327_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
|
||
|
+Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r838719_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
|
||
|
|
||
|
-$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/*
|
||
|
+$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d
|
||
|
/etc/sudoers:Defaults timestamp_timeout=0
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.
|
||
|
+If conflicting results are returned, this is a finding.
|
||
|
|
||
|
If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244519"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244519r743806_rule" weight="10.0" severity="medium"><version>RHEL-08-010049</version><title>RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
||
|
|
||
|
@@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server
|
||
|
|
||
|
openssh-server.x86_64 8.0p1-5.el8 @anaconda
|
||
|
|
||
|
-If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r818845_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r833373_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6751,9 +6786,7 @@ net.ipv4.conf.default.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47782r818844_fix" /><check system="C-47825r818843_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv4 ICMP redirect messages.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47782r818844_fix" /><check system="C-47825r833372_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 will not accept IPv4 ICMP redirect messages.
|
||
|
|
||
|
Check the value of the default "accept_redirects" variables with the following command:
|
||
|
|
||
|
@@ -6771,7 +6804,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/
|
||
|
|
||
|
If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r818857_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r833375_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6787,9 +6820,7 @@ net.ipv4.conf.all.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47783r818856_fix" /><check system="C-47826r818855_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47783r818856_fix" /><check system="C-47826r833374_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets.
|
||
|
|
||
|
Check the value of the accept source route variable with the following command:
|
||
|
|
||
|
@@ -6807,7 +6838,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l
|
||
|
|
||
|
If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r818863_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r833377_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6823,9 +6854,7 @@ net.ipv4.conf.default.accept_source_route=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47784r818862_fix" /><check system="C-47827r818861_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets by default.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47784r818862_fix" /><check system="C-47827r833376_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept IPv4 source-routed packets by default.
|
||
|
|
||
|
Check the value of the accept source route variable with the following command:
|
||
|
|
||
|
@@ -6843,7 +6872,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /u
|
||
|
|
||
|
If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r818884_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r833379_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -6859,9 +6888,7 @@ net.ipv4.conf.all.accept_redirects = 0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47785r818883_fix" /><check system="C-47828r818882_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv4 ICMP redirect messages.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47785r818883_fix" /><check system="C-47828r833378_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 ignores IPv4 ICMP redirect messages.
|
||
|
|
||
|
Check the value of the "accept_redirects" variables with the following command:
|
||
|
|
||
|
@@ -6879,7 +6906,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca
|
||
|
|
||
|
If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r818905_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r833381_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
|
||
|
Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
|
||
|
|
||
|
@@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2
|
||
|
|
||
|
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-47786r818904_fix" /><check system="C-47829r818903_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-47786r818904_fix" /><check system="C-47829r833380_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
|
||
|
|
||
|
$ sudo sysctl net.core.bpf_jit_harden
|
||
|
|
||
|
@@ -6911,7 +6938,7 @@ $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysct
|
||
|
|
||
|
If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
|
||
|
|
||
|
Procedure:
|
||
|
Check that the following package has been installed:
|
||
|
@@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock
|
||
|
|
||
|
unconfined_u:object_r:faillog_t:s0 /var/log/faillock
|
||
|
|
||
|
-If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r818869_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
+If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r833383_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
|
||
|
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
|
||
|
/etc/sysctl.d/*.conf
|
||
|
@@ -7001,15 +7028,13 @@ net.ipv4.conf.all.forwarding=0
|
||
|
|
||
|
Load settings from all system configuration files with the following command:
|
||
|
|
||
|
-$ sudo sysctl --system</fixtext><fix id="F-53705r818868_fix" /><check system="C-53751r818867_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
|
||
|
-
|
||
|
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
|
||
|
+$ sudo sysctl --system</fixtext><fix id="F-53705r818868_fix" /><check system="C-53751r833382_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
|
||
|
|
||
|
Check that IPv4 forwarding is disabled using the following command:
|
||
|
|
||
|
-$ sudo sysctl net.ipv4.ip_forward
|
||
|
+$ sudo sysctl net.ipv4.conf.all.forwarding
|
||
|
|
||
|
-net.ipv4.ip_forward = 0
|
||
|
+net.ipv4.conf.all.forwarding = 0
|
||
|
If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
|
||
|
|
||
|
Check that the configuration files are present to enable this network parameter.
|
||
|
@@ -7020,7 +7045,7 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/
|
||
|
|
||
|
If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
|
||
|
|
||
|
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
||
|
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
||
|
|
||
|
Perform a password reset:
|
||
|
$ sudo passwd [username]
|
||
|
@@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64
|
||
|
|
||
|
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
|
||
|
|
||
|
-If there is no application installed to perform integrity checks, this is a finding.</check-content></check></Rule></Group><Group id="V-251711"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251711r810015_rule" weight="10.0" severity="medium"><version>RHEL-08-010379</version><title>RHEL 8 must specify the default "include" directory for the /etc/sudoers file.</title><description><VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
|
||
|
-
|
||
|
+If there is no application installed to perform integrity checks, this is a finding.</check-content></check></Rule></Group><Group id="V-251711"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251711r833385_rule" weight="10.0" severity="medium"><version>RHEL-08-010379</version><title>RHEL 8 must specify the default "include" directory for the /etc/sudoers file.</title><description><VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
|
||
|
+
|
||
|
It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55102r809356_fix">Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.
|
||
|
|
||
|
Edit the /etc/sudoers file with the following command:
|
||
|
@@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command:
|
||
|
$ sudo visudo
|
||
|
|
||
|
Add or modify the following line:
|
||
|
-#includedir /etc/sudoers.d</fixtext><fix id="F-55102r809356_fix" /><check system="C-55148r809355_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
|
||
|
+#includedir /etc/sudoers.d</fixtext><fix id="F-55102r809356_fix" /><check system="C-55148r833384_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.
|
||
|
+
|
||
|
+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
|
||
|
|
||
|
$ sudo grep include /etc/sudoers
|
||
|
|
||
|
@@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s
|
||
|
|
||
|
Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:
|
||
|
|
||
|
-$ sudo grep include /etc/sudoers.d/*
|
||
|
+$ sudo grep -r include /etc/sudoers.d
|
||
|
|
||
|
If results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251712"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251712r810017_rule" weight="10.0" severity="medium"><version>RHEL-08-010385</version><title>The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
|
||
|
@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality
|
||
|
|
||
|
password required pam_pwquality.so retry=3
|
||
|
|
||
|
-If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251716"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251716r809372_rule" weight="10.0" severity="medium"><version>RHEL-08-020104</version><title>RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
||
|
+If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251716"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251716r833387_rule" weight="10.0" severity="medium"><version>RHEL-08-020104</version><title>RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
||
|
|
||
|
RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
||
|
/etc/pam.d/password-auth
|
||
|
@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi
|
||
|
|
||
|
Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value):
|
||
|
|
||
|
-retry = 3</fixtext><fix id="F-55107r809371_fix" /><check system="C-55153r809370_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.
|
||
|
+retry = 3</fixtext><fix id="F-55107r809371_fix" /><check system="C-55153r833386_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.
|
||
|
|
||
|
Verify the operating system is configured to limit the "pwquality" retry option to 3.
|
||
|
|
||
|
Check for the use of the "pwquality" retry option with the following command:
|
||
|
|
||
|
-$ sudo grep retry /etc/security/pwquality.conf
|
||
|
+$ sudo grep -r retry /etc/security/pwquality.conf*
|
||
|
|
||
|
-retry = 3
|
||
|
+/etc/security/pwquality.conf:retry = 3
|
||
|
|
||
|
If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding.
|
||
|
|
||
|
+If conflicting results are returned, this is a finding.
|
||
|
+
|
||
|
Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command:
|
||
|
|
||
|
$ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth
|
||
|
|
||
|
From feea7690b848d68c150712c841c74703b70e1a02 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 1 Aug 2022 14:46:19 +0200
|
||
|
Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R6
|
||
|
|
||
|
The V1R6 SCAP content is aligned with the V1R7 manual benchmark.
|
||
|
---
|
||
|
...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++--------
|
||
|
1 file changed, 539 insertions(+), 406 deletions(-)
|
||
|
rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%)
|
||
|
|
||
|
diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml
|
||
|
similarity index 96%
|
||
|
rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
|
||
|
rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml
|
||
|
index 1bd2fb7b659..e87b16eb377 100644
|
||
|
--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml
|
||
|
+++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml
|
||
|
@@ -1,36 +1,36 @@
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
-<data-stream-collection xmlns="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_mil.disa.stig_collection_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark" schematron-version="1.2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd http://cpe.mitre.org/dictionary/2.0 http://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/unix-definitions-schema.xsd http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2.xsd">
|
||
|
- <data-stream id="scap_mil.disa.stig_datastream_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark" use-case="CONFIGURATION" scap-version="1.2" timestamp="2022-03-28T12:45:13">
|
||
|
+<data-stream-collection xmlns="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_mil.disa.stig_collection_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark" schematron-version="1.2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd http://cpe.mitre.org/dictionary/2.0 http://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/download/schema/version5.10.1/ovaldefinition/complete/unix-definitions-schema.xsd http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2.xsd">
|
||
|
+ <data-stream id="scap_mil.disa.stig_datastream_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark" use-case="CONFIGURATION" scap-version="1.2" timestamp="2022-06-28T15:27:20">
|
||
|
<dictionaries>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml">
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml">
|
||
|
<cat:catalog xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog">
|
||
|
- <cat:uri name="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
+ <cat:uri name="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
</cat:catalog>
|
||
|
</component-ref>
|
||
|
</dictionaries>
|
||
|
<checklists>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml">
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-xccdf.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-xccdf.xml">
|
||
|
<cat:catalog xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog">
|
||
|
- <cat:uri name="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <cat:uri name="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" uri="#scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</cat:catalog>
|
||
|
</component-ref>
|
||
|
</checklists>
|
||
|
<checks>
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
- <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <component-ref xmlns:xlink="http://www.w3.org/1999/xlink" id="scap_mil.disa.stig_cref_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" xlink:href="#scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" />
|
||
|
</checks>
|
||
|
</data-stream>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" timestamp="2022-03-28T12:45:13">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-dictionary.xml" timestamp="2022-06-28T15:27:20">
|
||
|
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0">
|
||
|
<cpe-item name="cpe:/o:redhat:enterprise_linux:8">
|
||
|
<title xml:lang="en-us">Red Hat Enterprise Linux 8</title>
|
||
|
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml">oval:mil.disa.stig.rhel8:def:1</check>
|
||
|
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml">oval:mil.disa.stig.rhel8:def:1</check>
|
||
|
</cpe-item>
|
||
|
</cpe-list>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-xccdf.xml" timestamp="2022-03-28T12:45:13">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-xccdf.xml" timestamp="2022-06-28T15:27:20">
|
||
|
<xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xhtml="http://www.w3.org/1999/xhtml" id="xccdf_mil.disa.stig_benchmark_RHEL_8_STIG" xml:lang="en" style="SCAP_1.2">
|
||
|
- <xccdf:status date="2022-02-17">accepted</xccdf:status>
|
||
|
+ <xccdf:status date="2022-06-15">accepted</xccdf:status>
|
||
|
<xccdf:title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</xccdf:title>
|
||
|
<xccdf:description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</xccdf:description>
|
||
|
<xccdf:notice id="terms-of-use" xml:lang="en" />
|
||
|
@@ -40,11 +40,11 @@
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
<dc:source>STIG.DOD.MIL</dc:source>
|
||
|
</xccdf:reference>
|
||
|
- <xccdf:plain-text id="release-info">Release: 1.5 Benchmark Date: 27 Apr 2022</xccdf:plain-text>
|
||
|
+ <xccdf:plain-text id="release-info">Release: 1.6 Benchmark Date: 27 Jul 2022</xccdf:plain-text>
|
||
|
<xccdf:plain-text id="generator">3.3.0.27375</xccdf:plain-text>
|
||
|
<xccdf:plain-text id="conventionsVersion">1.10.0</xccdf:plain-text>
|
||
|
<xccdf:platform idref="cpe:/o:redhat:enterprise_linux:8" />
|
||
|
- <xccdf:version update="http://iase.disa.mil/stigs">001.005</xccdf:version>
|
||
|
+ <xccdf:version update="http://iase.disa.mil/stigs">001.006</xccdf:version>
|
||
|
<xccdf:metadata>
|
||
|
<dc:creator>DISA</dc:creator>
|
||
|
<dc:publisher>DISA</dc:publisher>
|
||
|
@@ -2189,15 +2189,15 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230257r792862_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230258r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230259r792864_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230266r818816_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230267r818819_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230268r818822_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230269r818825_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230270r818828_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230271r627750_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230266r833290_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230267r833292_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230268r833294_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230269r833296_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230270r833298_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230271r833301_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230272r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230273r743943_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230280r818831_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230280r833303_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230281r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230282r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230286r627750_rule" selected="false" />
|
||
|
@@ -2217,7 +2217,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230306r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230307r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230308r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230311r818834_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230311r833305_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230313r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230314r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230315r627750_rule" selected="false" />
|
||
|
@@ -2237,26 +2237,26 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230345r743984_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230346r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230348r743987_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230349r810020_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230349r833388_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230350r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230356r809379_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230357r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230358r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230359r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230360r809289_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230361r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230362r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230363r627750_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230357r833313_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230358r833315_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230359r833317_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230360r833319_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230361r833321_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230362r833323_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230363r833325_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230364r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230365r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230366r646878_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230367r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230368r810414_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230369r627750_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230369r833327_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230370r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230373r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230375r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230377r627750_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230375r833329_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230377r833331_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230378r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230382r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230383r627750_rule" selected="false" />
|
||
|
@@ -2337,7 +2337,7 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230498r792922_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230499r792924_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230503r809319_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230507r627750_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230507r833336_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230508r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230509r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230510r627750_rule" selected="false" />
|
||
|
@@ -2355,21 +2355,21 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230522r792933_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230526r744032_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230527r627750_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230535r818848_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230536r818851_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230537r818854_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230538r818860_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230539r818866_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230540r818872_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230541r818875_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230542r818878_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230543r818881_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230544r818887_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230545r818890_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230546r818893_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230547r818896_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230548r818899_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230549r818902_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230535r833340_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230536r833342_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230537r833344_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230538r833346_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230539r838722_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230540r833349_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230541r833351_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230542r833353_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230543r833355_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230544r833357_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230545r833359_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230546r833361_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230547r833363_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230548r833365_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230549r833367_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230550r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230555r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230556r627750_rule" selected="false" />
|
||
|
@@ -2379,9 +2379,9 @@
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-230561r627750_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237640r646890_rule" selected="false" />
|
||
|
<xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237641r646893_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237642r809326_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237643r809328_rule" selected="false" />
|
||
|
- <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-244554r818905_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237642r833369_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-237643r838720_rule" selected="false" />
|
||
|
+ <xccdf:select idref="xccdf_mil.disa.stig_rule_SV-244554r833381_rule" selected="false" />
|
||
|
</xccdf:Profile>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230221">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L
|
||
|
<xccdf:fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32865r567410_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:100" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:100" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable
|
||
|
Reboot the system for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32867r567416_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:101" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:101" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M
|
||
|
ENCRYPT_METHOD SHA512</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32875r567440_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:103" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:103" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth
|
||
|
<xccdf:fixtext fixref="F-32876r567443_fix">Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32876r567443_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:104" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:104" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_
|
||
|
SHA_CRYPT_MIN_ROUNDS 5000</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32877r809272_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:105" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:105" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2549,7 +2549,7 @@ Enter password:
|
||
|
Confirm password:</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32878r743921_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:106" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:106" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2577,7 +2577,7 @@ Enter password:
|
||
|
Confirm password:</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32879r743924_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:107" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:107" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2601,7 +2601,7 @@ Confirm password:</xccdf:fixtext>
|
||
|
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32880r743927_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:108" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:108" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include
|
||
|
password sufficient pam_unix.so sha512</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32881r809275_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:109" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:109" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
Remove any files with the .keytab extension from the operating system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32882r567461_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:110" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:110" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
$ sudo yum remove krb5-workstation</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32883r567464_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:111" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:111" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o
|
||
|
$ sudo yum install policycoreutils</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32885r567470_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:112" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:112" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted.
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32888r743933_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:115" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:115" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chmod 0640 /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32889r567482_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:116" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:116" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chown root /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32890r567485_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:117" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:117" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chgrp root /var/log/messages</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32891r567488_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:118" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:118" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chmod 0755 /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32892r567491_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:119" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:119" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chown root /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32893r567494_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:120" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:120" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the
|
||
|
$ sudo chgrp root /var/log</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32894r567497_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:121" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:121" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32
|
||
|
The SSH service must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32897r567506_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:122" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:122" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2
|
||
|
A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32899r809381_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:123" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:123" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod
|
||
|
$ sudo chmod 755 [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32901r792861_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:124" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:124" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o
|
||
|
$ sudo chown root [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32902r567521_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:125" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:125" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g
|
||
|
$ sudo chgrp root [FILE]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32903r567524_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:126" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:126" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i
|
||
|
gpgcheck=1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32908r567539_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:130" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:130" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file:
|
||
|
localpkg_gpgcheck=True</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32909r567542_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:131" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:131" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230266">
|
||
|
<xccdf:title>SRG-OS-000366-GPOS-00153</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230266r818816_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230266r833290_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010372</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent the loading of a new kernel for later execution.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
|
||
|
@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32910r818815_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:132" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:132" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230267">
|
||
|
<xccdf:title>SRG-OS-000312-GPOS-00122</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230267r818819_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230267r833292_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010373</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32911r818818_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:133" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:133" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230268">
|
||
|
<xccdf:title>SRG-OS-000312-GPOS-00122</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230268r818822_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230268r833294_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010374</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
|
||
|
@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32912r818821_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:134" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:134" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230269">
|
||
|
<xccdf:title>SRG-OS-000138-GPOS-00069</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230269r818825_rule" weight="10.0" severity="low">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230269r833296_rule" weight="10.0" severity="low">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010375</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict access to the kernel message buffer.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32913r818824_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:135" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:135" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230270">
|
||
|
<xccdf:title>SRG-OS-000138-GPOS-00069</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230270r818828_rule" weight="10.0" severity="low">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230270r833298_rule" weight="10.0" severity="low">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010376</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent kernel profiling by unprivileged users.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
|
||
|
@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32914r818827_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:136" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:136" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230271">
|
||
|
<xccdf:title>SRG-OS-000373-GPOS-00156</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230271r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230271r833301_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010380</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require users to provide a password for privilege escalation.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-002038</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32915r567560_fix">Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32915r567560_fix" />
|
||
|
+ <xccdf:fixtext fixref="F-32915r833300_fix">Configure the operating system to require users to supply a password for privilege escalation.
|
||
|
+
|
||
|
+Check the configuration of the "/etc/sudoers" file with the following command:
|
||
|
+$ sudo visudo
|
||
|
+
|
||
|
+Remove any occurrences of "NOPASSWD" tags in the file.
|
||
|
+
|
||
|
+Check the configuration of the /etc/sudoers.d/* files with the following command:
|
||
|
+$ sudo grep -ir nopasswd /etc/sudoers.d
|
||
|
+
|
||
|
+Remove any occurrences of "NOPASSWD" tags in the file.</xccdf:fixtext>
|
||
|
+ <xccdf:fix id="F-32915r833300_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:137" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:137" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
|
||
|
<xccdf:fixtext fixref="F-32916r567563_fix">Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32916r567563_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:138" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:138" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi
|
||
|
$ sudo yum install openssl-pkcs11</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32917r743942_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:139" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:139" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230280">
|
||
|
<xccdf:title>SRG-OS-000433-GPOS-00193</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230280r818831_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230280r833303_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010430</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
|
||
|
@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32924r818830_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:144" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:144" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con
|
||
|
clean_requirements_on_remove=True</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32925r567590_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:145" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:145" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted
|
||
|
A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32926r567593_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:146" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:146" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect.</xccdf:fixtext>
|
||
|
$ sudo rm /etc/ssh/shosts.equiv</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32927r567596_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:147" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:147" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv</xccdf:fixtext>
|
||
|
$ sudo rm /[path]/[to]/[file]/.shosts</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32928r567599_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:148" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:148" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32930r567605_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:149" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:149" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32931r743950_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:150" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:150" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32932r567611_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:151" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:151" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3673,7 +3683,7 @@ Compression no
|
||
|
The SSH service must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32933r743953_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:152" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:152" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32934r567617_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:153" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:153" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32935r743956_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:154" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:154" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32936r567623_fix">Migrate the "/var" path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32936r567623_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:155" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:155" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32937r567626_fix">Migrate the "/var/log" path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32937r567626_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:156" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:156" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32938r567629_fix">Migrate the system audit data path onto a separate file system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32938r567629_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:157" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:157" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32939r567632_fix">Migrate the "/tmp" directory onto a separate file system/partition.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32939r567632_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:158" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:158" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32940r567635_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:159" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:159" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service
|
||
|
$ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32942r567641_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:161" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:161" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32944r567647_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32944r567647_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:162" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:162" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32945r567650_fix">Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32945r567650_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:163" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:163" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32950r567665_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32950r567665_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:165" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:165" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32951r567668_fix">Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32951r567668_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:166" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:166" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service</xccdf:fixtext>
|
||
|
<xccdf:fixtext fixref="F-32952r567671_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32952r567671_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:167" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:167" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230311">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230311r818834_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230311r833305_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010671</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable the kernel.core_pattern.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32955r818833_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:168" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:168" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con
|
||
|
* hard core 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32957r619861_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:169" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:169" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf:
|
||
|
Storage=none</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32958r567689_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:170" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:170" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf:
|
||
|
ProcessSizeMax=0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32959r567692_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:171" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:171" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4135,7 +4145,7 @@ ProcessSizeMax=0</xccdf:fixtext>
|
||
|
CREATE_HOME yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32968r567719_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:177" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:177" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32974r567737_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:179" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:179" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32976r567743_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:180" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:180" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
deny = 3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32977r743965_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:181" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:181" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32978r567749_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:182" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:182" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
fail_interval = 900</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32979r743968_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:183" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:183" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32980r567755_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:184" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:184" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
unlock_time = 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32981r743971_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:185" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:185" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32984r567767_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:186" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:186" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
silent</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32985r743977_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:187" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:187" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32986r567773_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:188" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:188" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
audit</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32987r743980_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:189" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:189" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
|
||
|
$ sudo systemctl restart sssd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32988r567779_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:190" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:190" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line:
|
||
|
even_deny_root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32989r743983_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:191" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:191" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con
|
||
|
* hard maxlogins 10</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32990r619863_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:192" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:192" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line:
|
||
|
set -g lock-command vlock</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32992r743986_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:193" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:193" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230349">
|
||
|
<xccdf:title>SRG-OS-000028-GPOS-00009</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230349r810020_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230349r833388_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020041</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must ensure session control is automatically started at shell initialization.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
||
|
|
||
|
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
||
|
|
||
|
-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
||
|
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
||
|
|
||
|
Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
<xccdf:reference>
|
||
|
@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-000056</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-32993r809283_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
|
||
|
+ <xccdf:fixtext fixref="F-32993r833310_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
|
||
|
|
||
|
-If [ "$PS1" ]; then
|
||
|
+if [ "$PS1" ]; then
|
||
|
parent=$(ps -o ppid= -p $$)
|
||
|
name=$(ps -o comm= -p $parent)
|
||
|
case "$name" in (sshd|login) exec tmux ;; esac
|
||
|
fi
|
||
|
|
||
|
This setting will take effect at next logon.</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-32993r809283_fix" />
|
||
|
+ <xccdf:fix id="F-32993r833310_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:194" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:194" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion
|
||
|
<xccdf:fixtext fixref="F-32994r567797_fix">Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-32994r567797_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:195" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:195" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
|
||
|
password required pam_pwquality.so</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33000r809286_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:196" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:196" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230357">
|
||
|
<xccdf:title>SRG-OS-000069-GPOS-00037</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230357r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230357r833313_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020110</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
ucredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33001r567818_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:197" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:197" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230358">
|
||
|
<xccdf:title>SRG-OS-000070-GPOS-00038</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230358r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230358r833315_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020120</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
lcredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33002r567821_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:198" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:198" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230359">
|
||
|
<xccdf:title>SRG-OS-000071-GPOS-00039</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230359r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230359r833317_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020130</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
dcredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33003r567824_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:199" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:199" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230360">
|
||
|
<xccdf:title>SRG-OS-000072-GPOS-00040</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230360r809289_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230360r833319_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020140</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin
|
||
|
maxclassrepeat = 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33004r567827_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:200" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:200" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230361">
|
||
|
<xccdf:title>SRG-OS-000072-GPOS-00040</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230361r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230361r833321_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020150</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
|
||
|
maxrepeat = 3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33005r567830_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:201" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:201" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230362">
|
||
|
<xccdf:title>SRG-OS-000072-GPOS-00040</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230362r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230362r833323_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020160</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require the change of at least four character classes when passwords are changed.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
|
||
|
minclass = 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33006r567833_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:202" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:202" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230363">
|
||
|
<xccdf:title>SRG-OS-000072-GPOS-00040</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230363r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230363r833325_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020170</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
|
||
|
difok = 8</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33007r567836_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:203" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:203" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -4977,7 +4987,7 @@ difok = 8</xccdf:fixtext>
|
||
|
$ sudo chage -m 1 [user]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33008r567839_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:204" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:204" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ
|
||
|
PASS_MIN_DAYS 1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33009r567842_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:205" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:205" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file:
|
||
|
PASS_MAX_DAYS 60</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33010r567845_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:206" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:206" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60</xccdf:fixtext>
|
||
|
$ sudo chage -M 60 [user]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33011r567848_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:207" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:207" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have
|
||
|
password required pam_pwhistory.so use_authtok remember=5 retry=3</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33012r809291_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:208" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:208" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230369">
|
||
|
<xccdf:title>SRG-OS-000078-GPOS-00046</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230369r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230369r833327_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020230</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 passwords must have a minimum of 15 characters.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
|
||
|
@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
|
||
|
minlen = 15</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33013r567854_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:209" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:209" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file:
|
||
|
PASS_MIN_LEN 15</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33014r567857_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:210" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:210" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35
|
||
|
DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33017r567866_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:211" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:211" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230375">
|
||
|
<xccdf:title>SRG-OS-000266-GPOS-00101</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230375r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230375r833329_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020280</xccdf:version>
|
||
|
<xccdf:title>All RHEL 8 passwords must contain at least one special character.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
||
|
@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
|
||
|
ocredit = -1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33019r567872_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:212" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:212" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230377">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00225</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230377r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230377r833331_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-020300</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent the use of dictionary words for passwords.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
|
||
|
@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a
|
||
|
dictcheck=1</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33021r567878_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:214" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:214" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr
|
||
|
FAIL_DELAY 4</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33022r567881_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:215" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:215" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33024r743992_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:216" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:216" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5319,7 +5329,7 @@ PrintLastLog yes
|
||
|
The SSH service must be restarted for changes to "sshd_config" to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33026r567893_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:218" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:218" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077
|
||
|
UMASK 077</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33027r567896_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:219" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:219" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33030r567905_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:220" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:220" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator
|
||
|
action_mail_acct = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33032r567911_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:222" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:222" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5441,7 +5451,7 @@ disk_error_action = HALT
|
||
|
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33034r567917_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:223" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:223" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5475,7 +5485,7 @@ disk_full_action = HALT
|
||
|
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33036r567923_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:225" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:225" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file:
|
||
|
local_events = yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33037r567926_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:226" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:226" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5535,7 +5545,7 @@ name_format = hostname
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33038r567929_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:227" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:227" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5565,7 +5575,7 @@ log_format = ENRICHED
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33039r567932_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:228" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:228" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
log_group = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33040r567935_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:229" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:229" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file]
|
||
|
Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33041r567938_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:230" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:230" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
log_group = root</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33042r567941_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:231" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:231" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33043r567944_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:232" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:232" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33044r567947_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:233" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:233" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory]
|
||
|
Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33045r567950_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:234" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:234" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33046r567953_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:235" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:235" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
|
||
|
--loginuid-immutable</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33047r567956_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:236" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:236" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33048r567959_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:237" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:237" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33049r567962_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:238" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:238" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33050r567965_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:239" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:239" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33051r567968_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:240" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:240" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33052r567971_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:241" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:241" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33053r567974_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:242" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:242" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules"
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33054r567977_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:243" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:243" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t
|
||
|
$ sudo yum install audit</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33055r646880_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:244" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:244" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33056r567983_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:245" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:245" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33057r809294_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:246" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:246" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33062r568001_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:251" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:251" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33063r568004_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:252" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:252" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33065r568010_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:254" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:254" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33066r568013_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:255" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:255" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33067r568016_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:256" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:256" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33068r568019_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:257" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:257" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33069r568022_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:258" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:258" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33070r568025_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:259" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:259" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33071r568028_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:260" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:260" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33072r568031_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:261" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:261" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33073r568034_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:262" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:262" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33074r568037_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:263" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:263" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33075r568040_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:264" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:264" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33076r568043_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:265" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:265" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33077r568046_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:266" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:266" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33078r744001_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:267" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:267" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33079r568052_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:268" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:268" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33080r568055_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:269" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:269" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33081r568058_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:270" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:270" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33082r810448_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:271" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:271" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33083r809301_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:272" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:272" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33088r568079_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:277" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:277" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33090r568085_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:279" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:279" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33091r568088_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:280" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:280" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33092r568091_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:281" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:281" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33093r809304_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:282" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:282" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33099r809307_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:288" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:288" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33100r809310_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:289" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:289" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33106r568133_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:295" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:295" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33107r568136_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:296" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:296" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33108r568139_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:297" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:297" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33109r568142_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:298" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:298" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
|
||
|
The audit daemon must be restarted for the changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33111r568148_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:299" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:299" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules
|
||
|
$ sudo chmod 0640 /etc/audit/auditd.conf</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33115r568160_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:303" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:303" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool]
|
||
|
Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33116r568163_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:304" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:304" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool]
|
||
|
Replace "[audit_tool]" with each audit tool not owned by "root".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33117r568166_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:305" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:305" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool]
|
||
|
Replace "[audit_tool]" with each audit tool not group-owned by "root".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33118r568169_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:306" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:306" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
|
||
|
$ sudo yum install rsyslog</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33121r568178_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:412" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:412" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
|
||
|
$ sudo yum install rsyslog-gnutls</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33122r744010_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:307" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:307" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7471,7 +7481,7 @@ overflow_action = syslog
|
||
|
The audit daemon must be restarted for changes to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33124r568187_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:308" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:308" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7497,7 +7507,7 @@ space_left = 25%
|
||
|
Note: Option names and values in the auditd.conf file are case insensitive.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33127r744013_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:309" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:309" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc
|
||
|
port 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33129r568202_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:310" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:310" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc
|
||
|
cmdport 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33130r568205_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:311" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:311" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass
|
||
|
$ sudo yum remove telnet-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33131r568208_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:312" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:312" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities.
|
||
|
$ sudo yum remove abrt*</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33132r568211_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:313" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:313" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities.
|
||
|
$ sudo yum remove sendmail</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33133r568214_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:314" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:314" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion
|
||
|
$ sudo yum remove rsh-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33136r568223_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:317" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:317" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7716,7 +7726,7 @@ blacklist atm
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33138r792910_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:318" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:318" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7749,7 +7759,7 @@ blacklist can
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33139r792913_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:319" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:319" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7782,7 +7792,7 @@ blacklist sctp
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33140r792916_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:320" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:320" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7815,7 +7825,7 @@ blacklist tipc
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33141r792919_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:321" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:321" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7848,7 +7858,7 @@ blacklist cramfs
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33142r568241_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:322" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:322" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7879,7 +7889,7 @@ blacklist firewire-core
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33143r568244_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:323" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:323" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7910,14 +7920,14 @@ blacklist usb-storage
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33147r809318_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:325" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:325" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230507">
|
||
|
<xccdf:title>SRG-OS-000300-GPOS-00118</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230507r627750_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230507r833336_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040111</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 Bluetooth must be disabled.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
|
||
|
@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per
|
||
|
<dc:identifier>2921</dc:identifier>
|
||
|
</xccdf:reference>
|
||
|
<xccdf:ident system="http://cyber.mil/cci">CCI-001443</xccdf:ident>
|
||
|
- <xccdf:fixtext fixref="F-33151r568268_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
|
||
|
+ <xccdf:fixtext fixref="F-33151r833335_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
|
||
|
|
||
|
Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:
|
||
|
|
||
|
install bluetooth /bin/true
|
||
|
|
||
|
+Disable the ability to use the Bluetooth kernel module.
|
||
|
+
|
||
|
+$ sudo vi /etc/modprobe.d/blacklist.conf
|
||
|
+
|
||
|
+Add or update the line:
|
||
|
+
|
||
|
+blacklist bluetooth
|
||
|
+
|
||
|
Reboot the system for the settings to take effect.</xccdf:fixtext>
|
||
|
- <xccdf:fix id="F-33151r568268_fix" />
|
||
|
+ <xccdf:fix id="F-33151r833335_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:326" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:326" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33152r568271_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:327" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:327" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33153r568274_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:328" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:328" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33154r568277_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:329" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:329" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33155r568280_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:330" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:330" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33156r568283_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:331" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:331" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33157r568286_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:332" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:332" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33158r568289_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:333" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:333" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33159r568292_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:334" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:334" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33160r568295_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:335" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:335" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33161r568298_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:336" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:336" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33162r568301_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:337" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:337" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33163r568304_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:338" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:338" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33164r792926_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:339" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:339" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33165r792929_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:340" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:340" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
|
||
|
/dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33166r792932_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:341" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:341" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
|
||
|
$ sudo systemctl enable sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33170r744031_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:342" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:342" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect.
|
||
|
$ sudo systemctl restart sshd.service</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33171r568328_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:343" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:343" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect.
|
||
|
$ sudo systemctl daemon-reload</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33175r619890_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:345" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:345" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload</xccdf:fixtext>
|
||
|
$ sudo yum remove tftp-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33177r568346_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:346" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:346" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server</xccdf:fixtext>
|
||
|
If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33178r568349_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:347" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:347" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230535">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230535r818848_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230535r833340_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040210</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33179r818847_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:348" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:348" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230536">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230536r818851_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230536r833342_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040220</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33180r818850_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:349" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:349" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230537">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230537r818854_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230537r833344_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040230</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
|
||
|
@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33181r818853_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:350" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:350" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230538">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230538r818860_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230538r833346_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040240</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33182r818859_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:351" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:351" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230539">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230539r818866_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230539r838722_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040250</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
|
||
|
@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33183r818865_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:352" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:352" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230540">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230540r818872_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230540r833349_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040260</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33184r818871_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:353" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:353" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230541">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230541r818875_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230541r833351_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040261</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33185r818874_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:354" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:354" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230542">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230542r818878_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230542r833353_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040262</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
|
||
|
@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33186r818877_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:355" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:355" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230543">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230543r818881_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230543r833355_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040270</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
|
||
|
@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33187r818880_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:356" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:356" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230544">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230544r818887_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230544r833357_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040280</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||
|
@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command:
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33188r818886_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:357" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:357" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230545">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230545r818890_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230545r833359_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040281</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33189r818889_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:358" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:358" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230546">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230546r818893_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230546r833361_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040282</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict usage of ptrace to descendant processes.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33190r818892_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:359" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:359" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230547">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230547r818896_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230547r833363_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040283</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must restrict exposed kernel pointer addresses access.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33191r818895_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:360" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:360" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230548">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230548r818899_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230548r833365_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040284</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must disable the use of user namespaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33192r818898_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:361" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:361" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-230549">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230549r818902_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-230549r833367_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040285</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33193r818901_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:362" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:362" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9125,7 +9143,7 @@ $ sudo sysctl --system</xccdf:fixtext>
|
||
|
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33194r568397_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:363" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:363" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect:
|
||
|
$ sudo systemctl restart sshd</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33199r568412_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:364" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:364" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us
|
||
|
X11UseLocalhost yes</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33200r568415_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:365" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:365" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9207,7 +9225,7 @@ X11UseLocalhost yes</xccdf:fixtext>
|
||
|
server_args = -s /var/lib/tftpboot</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33201r568418_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:366" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:366" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot</xccdf:fixtext>
|
||
|
$ sudo yum remove vsftpd</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33202r568421_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:367" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:367" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose
|
||
|
$ sudo yum remove gssproxy</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33203r568424_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:368" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:368" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI
|
||
|
$ sudo yum remove iprutils</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33204r568427_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:369" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:369" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically.
|
||
|
$ sudo yum remove tuned</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-33205r568430_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:370" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:370" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
$ sudo yum remove krb5-server</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40822r646889_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:413" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:413" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL
|
||
|
ALL ALL=(ALL:ALL) ALL</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40823r646892_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:414" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:414" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-237642">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-237642r809326_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-237642r833369_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010383</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
|
||
|
@@ -9395,14 +9413,14 @@ Defaults !rootpw
|
||
|
Defaults !runaspw</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40824r646895_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:415" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:415" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-237643">
|
||
|
<xccdf:title>SRG-OS-000373-GPOS-00156</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-237643r809328_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-237643r838720_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-010384</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must require re-authentication when using the "sudo" command.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
||
|
@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value]
|
||
|
Note: The "[value]" must be a number that is greater than or equal to "0".</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-40825r646898_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:416" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:416" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0".</xccd
|
||
|
Note: Manual changes to the listed file may be overwritten by the "authselect" program.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-47772r743868_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:463" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:463" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
|
||
|
Note: Manual changes to the listed file may be overwritten by the "authselect" program.</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-47773r743871_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:464" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:464" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
<xccdf:Group id="xccdf_mil.disa.stig_group_V-244554">
|
||
|
<xccdf:title>SRG-OS-000480-GPOS-00227</xccdf:title>
|
||
|
<xccdf:description><GroupDescription></GroupDescription></xccdf:description>
|
||
|
- <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-244554r818905_rule" weight="10.0" severity="medium">
|
||
|
+ <xccdf:Rule id="xccdf_mil.disa.stig_rule_SV-244554r833381_rule" weight="10.0" severity="medium">
|
||
|
<xccdf:version update="http://iase.disa.mil/stigs">RHEL-08-040286</xccdf:version>
|
||
|
<xccdf:title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</xccdf:title>
|
||
|
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
||
|
@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec
|
||
|
$ sudo sysctl --system</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-47786r818904_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:477" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:477" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
@@ -9540,18 +9558,18 @@ Lock an account:
|
||
|
$ sudo passwd -l [username]</xccdf:fixtext>
|
||
|
<xccdf:fix id="F-55097r809341_fix" />
|
||
|
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||
|
- <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:482" href="U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
+ <xccdf:check-content-ref name="oval:mil.disa.stig.rhel8:def:482" href="U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" />
|
||
|
</xccdf:check>
|
||
|
</xccdf:Rule>
|
||
|
</xccdf:Group>
|
||
|
</xccdf:Benchmark>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-oval.xml" timestamp="2022-03-28T12:45:13">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-oval.xml" timestamp="2022-06-28T15:27:20">
|
||
|
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5">
|
||
|
<generator>
|
||
|
<oval:product_name>repotool</oval:product_name>
|
||
|
<oval:schema_version>5.10</oval:schema_version>
|
||
|
- <oval:timestamp>2022-03-28T12:45:12</oval:timestamp>
|
||
|
+ <oval:timestamp>2022-06-28T15:27:20</oval:timestamp>
|
||
|
</generator>
|
||
|
<definitions>
|
||
|
<definition class="compliance" id="oval:mil.disa.stig.rhel8:def:10" version="1">
|
||
|
@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:21200" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition id="oval:mil.disa.stig.rhel8:def:214" class="compliance" version="2">
|
||
|
+ <definition id="oval:mil.disa.stig.rhel8:def:214" class="compliance" version="3">
|
||
|
<metadata>
|
||
|
- <title>RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords.</title>
|
||
|
+ <title>RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords.</title>
|
||
|
<affected family="unix">
|
||
|
<platform>Red Hat Enterprise Linux 8</platform>
|
||
|
</affected>
|
||
|
<description>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="OR">
|
||
|
+ <criteria>
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:21400" />
|
||
|
- <criterion test_ref="oval:mil.disa.stig.rhel8:tst:21401" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
<definition id="oval:mil.disa.stig.rhel8:def:215" class="compliance" version="1">
|
||
|
@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:32501" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition id="oval:mil.disa.stig.rhel8:def:326" class="compliance" version="1">
|
||
|
+ <definition id="oval:mil.disa.stig.rhel8:def:326" class="compliance" version="2">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-040111 - RHEL 8 Bluetooth must be disabled.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per
|
||
|
</metadata>
|
||
|
<criteria>
|
||
|
<criterion test_ref="oval:mil.disa.stig.rhel8:tst:32600" />
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:32601" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
<definition id="oval:mil.disa.stig.rhel8:def:327" class="compliance" version="2">
|
||
|
@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
<criterion comment="ALL is not configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41401" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:415" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:415" version="3">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
|
||
|
For more information on each of the listed configurations, reference the sudoers(5) manual page.</description>
|
||
|
</metadata>
|
||
|
<criteria operator="AND">
|
||
|
- <criteria operator="ONE">
|
||
|
+ <criteria operator="OR">
|
||
|
<criterion comment="Defaults !targetpw is configured in /etc/sudoers" test_ref="oval:mil.disa.stig.rhel8:tst:41500" />
|
||
|
<criterion comment="Defaults !targetpw is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41501" />
|
||
|
</criteria>
|
||
|
- <criteria operator="ONE">
|
||
|
+ <criteria operator="OR">
|
||
|
<criterion comment="Defaults !rootpw is configured in /etc/sudoers" test_ref="oval:mil.disa.stig.rhel8:tst:41502" />
|
||
|
<criterion comment="Defaults !rootpw is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41503" />
|
||
|
</criteria>
|
||
|
- <criteria operator="ONE">
|
||
|
+ <criteria operator="OR">
|
||
|
<criterion comment="Defaults !runaspw is configured in /etc/sudoers" test_ref="oval:mil.disa.stig.rhel8:tst:41504" />
|
||
|
<criterion comment="Defaults !runaspw is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41505" />
|
||
|
</criteria>
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
- <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:416" version="2">
|
||
|
+ <definition class="compliance" id="oval:mil.disa.stig.rhel8:def:416" version="5">
|
||
|
<metadata>
|
||
|
<title>RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command.</title>
|
||
|
<affected family="unix">
|
||
|
@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit
|
||
|
|
||
|
If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</description>
|
||
|
</metadata>
|
||
|
- <criteria operator="ONE">
|
||
|
- <criterion comment="Defaults timestamp_timeout is configured in /etc/sudoers" test_ref="oval:mil.disa.stig.rhel8:tst:41600" />
|
||
|
- <criterion comment="Defaults timestamp_timeout is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41601" />
|
||
|
+ <criteria>
|
||
|
+ <criterion test_ref="oval:mil.disa.stig.rhel8:tst:41600" />
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
<definition class="compliance" id="oval:mil.disa.stig.rhel8:def:463" version="1">
|
||
|
@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:14400" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:14400" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.randomize_va_space is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:14401" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.randomize_va_space is set to 2 in the sysctl configuration files, and there are no conflicting settings in other files." check="all" check_existence="at_least_one_exists" id="oval:mil.disa.stig.rhel8:tst:14401" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:14403" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:14401" />
|
||
|
</textfilecontent54_test>
|
||
|
@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" comment="The pam_pwquality module is included in password-auth." id="oval:mil.disa.stig.rhel8:tst:19600" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:19600" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one uppercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19700" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:19700" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one uppercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19700" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:19702" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:19700" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one lowercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19800" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:19800" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one lowercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19800" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:19802" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:19700" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one numeric character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19900" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:19900" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:19700" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters of the same character class must be limited to four when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20000" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:20000" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters of the same character class must be limited to four when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20000" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:20002" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20600" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters must be limited to three when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20100" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:20100" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters must be limited to three when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20100" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:20102" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20100" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20600" />
|
||
|
</textfilecontent54_test>
|
||
|
@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:20200" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20200" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least 8 characters must change when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20300" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:20300" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least 8 characters must change when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20300" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:20302" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20300" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" comment="Root does not have a minimum password age of 0 or blank" id="oval:mil.disa.stig.rhel8:tst:20400" version="3">
|
||
|
@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:20801" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20800" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must have a minimum of 15 characters" check="all" id="oval:mil.disa.stig.rhel8:tst:20900" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:20900" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must have a minimum of 15 characters" check="all" id="oval:mil.disa.stig.rhel8:tst:20900" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:20902" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:20900" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/login.defs: PASS_MIN_LEN = 15 or greater" check="all" id="oval:mil.disa.stig.rhel8:tst:21000" version="1">
|
||
|
@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:21200" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:19700" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21400" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:21400" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:9801" />
|
||
|
- </textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21401" version="1">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:21401" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21400" version="2">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:21402" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:9801" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/login.defs: FAIL_DELAY = 4 or greater" check="all" id="oval:mil.disa.stig.rhel8:tst:21500" version="1">
|
||
|
@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/modprobe.d contains a file that contains 'install bluetooth /bin/true'" check="all" id="oval:mil.disa.stig.rhel8:tst:32600" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:32600" />
|
||
|
</textfilecontent54_test>
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/modprobe.d contains a file that contains 'blacklist bluetooth'" check="all" id="oval:mil.disa.stig.rhel8:tst:32601" version="1">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:32601" />
|
||
|
+ </textfilecontent54_test>
|
||
|
<partition_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="If /dev/shm is mounted, it is mounted with the nodev option" check="all" check_existence="any_exist" id="oval:mil.disa.stig.rhel8:tst:32700" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:32700" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:32700" />
|
||
|
@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:35903" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:35901" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.kptr_restrict is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36000" version="4">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.kptr_restrict is set to 1 or 2 in kernel" check="all" state_operator="OR" id="oval:mil.disa.stig.rhel8:tst:36000" version="5">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36000" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36000" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36002" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.kptr_restrict is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36001" version="7">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.kptr_restrict is set to 1 or 2 in the sysctl configuration files, and no conflicting configs exist." check="all" state_operator="OR" check_existence="at_least_one_exists" id="oval:mil.disa.stig.rhel8:tst:36001" version="8">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36003" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36001" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36003" />
|
||
|
</textfilecontent54_test>
|
||
|
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="user.max_user_namespaces is set to 0 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36100" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36100" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36100" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="user.max_user_namespaces is set to 0 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36101" version="4">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="user.max_user_namespaces is set to 0 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:36101" version="5">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36103" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36101" />
|
||
|
</textfilecontent54_test>
|
||
|
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.all.rp_filter is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36200" version="2">
|
||
|
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.all.rp_filter is set to 1 or 2 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36200" state_operator="OR" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36200" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36000" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36200" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.all.rp_filter is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36201" version="3">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.all.rp_filter is set to 1 or 2 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:36201" state_operator="OR" version="4">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36203" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:36001" />
|
||
|
+ <state state_ref="oval:mil.disa.stig.rhel8:ste:36201" />
|
||
|
</textfilecontent54_test>
|
||
|
<rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="The postfix package is installed" check="all" id="oval:mil.disa.stig.rhel8:tst:36300" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:36300" />
|
||
|
@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" comment="ALL does not exist in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41401" version="1">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41401" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !targetpw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41500" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !targetpw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41500" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41500" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !targetpw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41501" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !targetpw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41501" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41501" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !rootpw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41502" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !rootpw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41502" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41502" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !rootpw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41503" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !rootpw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41503" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41503" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !runaspw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41504" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !runaspw is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41504" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41504" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults !runaspw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41505" version="2">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="at_least_one_exists" comment="Defaults !runaspw is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41505" version="3">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:41505" />
|
||
|
</textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults timestamp_timeout is configured in /etc/sudoers" id="oval:mil.disa.stig.rhel8:tst:41600" version="3">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:41600" />
|
||
|
- <state state_ref="oval:mil.disa.stig.rhel8:ste:41600" />
|
||
|
- </textfilecontent54_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists" comment="Defaults timestamp_timeout is configured in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41601" version="3">
|
||
|
- <object object_ref="oval:mil.disa.stig.rhel8:obj:41601" />
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" comment="Defaults timestamp_timeout is configured in /etc/sudoers or /etc/sudoers.d." id="oval:mil.disa.stig.rhel8:tst:41600" version="5">
|
||
|
+ <object object_ref="oval:mil.disa.stig.rhel8:obj:41602" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:41600" />
|
||
|
</textfilecontent54_test>
|
||
|
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="No instances of nullok in /etc/pam.d/system-auth." check="all" check_existence="none_exist" id="oval:mil.disa.stig.rhel8:tst:46300" version="2">
|
||
|
@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:47700" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:14400" />
|
||
|
</sysctl_test>
|
||
|
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.core.bpf_jit_harden is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:47701" version="1">
|
||
|
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.core.bpf_jit_harden is set to 2 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:47701" version="2">
|
||
|
<object object_ref="oval:mil.disa.stig.rhel8:obj:47703" />
|
||
|
<state state_ref="oval:mil.disa.stig.rhel8:ste:14401" />
|
||
|
</textfilecontent54_test>
|
||
|
@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<object_reference>oval:mil.disa.stig.rhel8:obj:13602</object_reference>
|
||
|
</set>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:13700" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:13700" version="2">
|
||
|
+ <behaviors ignore_case="true" />
|
||
|
<filepath>/etc/sudoers</filepath>
|
||
|
<pattern operation="pattern match">^(?!#).*\s+NOPASSWD.*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:13701" version="1">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:13701" version="2">
|
||
|
+ <behaviors ignore_case="true" recurse_direction="down" />
|
||
|
<path>/etc/sudoers.d</path>
|
||
|
<filename operation="pattern match">^.*$</filename>
|
||
|
<pattern operation="pattern match">^(?!#).*\s+NOPASSWD.*$</pattern>
|
||
|
@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<pattern operation="pattern match">^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="ucredit setting in /etc/security/pwquality.conf" id="oval:mil.disa.stig.rhel8:obj:19700" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="ucredit setting in /etc/security/pwquality.conf*" id="oval:mil.disa.stig.rhel8:obj:19700" version="2">
|
||
|
+ <behaviors recurse_direction="down" />
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*</filename>
|
||
|
<pattern operation="pattern match">^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19800" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="ucredit setting in /etc/security/pwquality.conf*" id="oval:mil.disa.stig.rhel8:obj:19701" version="1">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*</path>
|
||
|
+ <filename operation="pattern match">^.*$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all sysctl configuration files" id="oval:mil.disa.stig.rhel8:obj:19702" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:19700</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:19701</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19800" version="2">
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*$</filename>
|
||
|
<pattern operation="pattern match">^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19801" version="1">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*$</path>
|
||
|
+ <filename operation="pattern match">.*</filename>
|
||
|
+ <pattern operation="pattern match">^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19802" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:19800</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:19801</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:19900" version="1">
|
||
|
<filepath>/etc/security/pwquality.conf</filepath>
|
||
|
<pattern operation="pattern match">^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20000" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20000" version="2">
|
||
|
+ <behaviors recurse_direction="down" />
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*</filename>
|
||
|
<pattern operation="pattern match">^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20100" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="maxclassrepeat setting in /etc/security/pwquality.conf*" id="oval:mil.disa.stig.rhel8:obj:20001" version="1">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*</path>
|
||
|
+ <filename operation="pattern match">^.*$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all pwquality configuration files" id="oval:mil.disa.stig.rhel8:obj:20002" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20000</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20001</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20100" version="2">
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*$</filename>
|
||
|
<pattern operation="pattern match">^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20101" version="1">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*$</path>
|
||
|
+ <filename operation="pattern match">.*</filename>
|
||
|
+ <pattern operation="pattern match">^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20102" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20100</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20101</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20200" version="1">
|
||
|
<filepath>/etc/security/pwquality.conf</filepath>
|
||
|
<pattern operation="pattern match">^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20300" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20300" version="2">
|
||
|
+ <behaviors recurse_direction="down" />
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*</filename>
|
||
|
<pattern operation="pattern match">^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="difok setting in /etc/security/pwquality.conf*" id="oval:mil.disa.stig.rhel8:obj:20301" version="1">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*</path>
|
||
|
+ <filename operation="pattern match">^.*$</filename>
|
||
|
+ <pattern operation="pattern match">^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all pwquality configuration files" id="oval:mil.disa.stig.rhel8:obj:20302" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20300</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20301</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20400" version="4">
|
||
|
<filepath datatype="string">/etc/shadow</filepath>
|
||
|
<pattern operation="pattern match">^root:[^:]*:[^:]*:0*:</pattern>
|
||
|
@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<pattern operation="pattern match">^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20900" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20900" version="4">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*$</path>
|
||
|
+ <filename operation="pattern match">.*</filename>
|
||
|
<pattern operation="pattern match">^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20901" version="1">
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf</filename>
|
||
|
+ <pattern operation="pattern match">^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:20902" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20900</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:20901</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21000" version="2">
|
||
|
<filepath>/etc/login.defs</filepath>
|
||
|
<pattern operation="pattern match">^\s*PASS_MIN_LEN\s+(\d+)\s*$</pattern>
|
||
|
@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<pattern operation="pattern match">^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21400" version="1">
|
||
|
- <filepath>/etc/security/pwquality.conf</filepath>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21400" version="3">
|
||
|
+ <behaviors recurse_direction="down" />
|
||
|
+ <path>/etc/security</path>
|
||
|
+ <filename operation="pattern match">^pwquality\.conf.*</filename>
|
||
|
<pattern operation="pattern match">^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21401" version="2">
|
||
|
- <path>/etc/pwquality.conf.d/</path>
|
||
|
- <filename operation="pattern match">^.*\.conf$</filename>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21401" version="3">
|
||
|
+ <path operation="pattern match">^/etc/security/pwquality\.conf.*</path>
|
||
|
+ <filename operation="pattern match">^.*$</filename>
|
||
|
<pattern operation="pattern match">^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="all pwquality configuration files" id="oval:mil.disa.stig.rhel8:obj:21402" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:21400</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:21401</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:21500" version="2">
|
||
|
<filepath>/etc/login.defs</filepath>
|
||
|
<pattern operation="pattern match">^\s*FAIL_DELAY\s+(\d+)\s*$</pattern>
|
||
|
@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<pattern operation="pattern match">^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$</pattern>
|
||
|
<instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:32601" version="1">
|
||
|
+ <path>/etc/modprobe.d</path>
|
||
|
+ <filename operation="pattern match">.*</filename>
|
||
|
+ <pattern operation="pattern match">^[ \t]*blacklist[ \t]+bluetooth[ \t]*$</pattern>
|
||
|
+ <instance datatype="int" operation="greater than or equal">1</instance>
|
||
|
+ </textfilecontent54_object>
|
||
|
<partition_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:mil.disa.stig.rhel8:obj:32700" version="1">
|
||
|
<mount_point>/dev/shm</mount_point>
|
||
|
</partition_object>
|
||
|
@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<pattern operation="pattern match">^\s*Defaults\s+\!runaspw\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41600" version="2">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41600" version="4">
|
||
|
+ <behaviors ignore_case="true" />
|
||
|
<filepath>/etc/sudoers</filepath>
|
||
|
- <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
- <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41601" version="2">
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41601" version="5">
|
||
|
+ <behaviors ignore_case="true" max_depth="-1" recurse_direction="down" />
|
||
|
<path>/etc/sudoers.d</path>
|
||
|
<filename operation="pattern match">^.*$</filename>
|
||
|
- <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$</pattern>
|
||
|
+ <pattern operation="pattern match">^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$</pattern>
|
||
|
<instance datatype="int">1</instance>
|
||
|
</textfilecontent54_object>
|
||
|
+ <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:41602" version="1">
|
||
|
+ <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION">
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:41600</object_reference>
|
||
|
+ <object_reference>oval:mil.disa.stig.rhel8:obj:41601</object_reference>
|
||
|
+ </set>
|
||
|
+ </textfilecontent54_object>
|
||
|
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:obj:46300" version="1">
|
||
|
<filepath>/etc/pam.d/system-auth</filepath>
|
||
|
<pattern operation="pattern match">\bnullok\b</pattern>
|
||
|
@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36001" version="2">
|
||
|
<subexpression datatype="int">1</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
+ <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36002" version="1">
|
||
|
+ <value datatype="int">2</value>
|
||
|
+ </sysctl_state>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36003" version="1">
|
||
|
+ <subexpression datatype="int">2</subexpression>
|
||
|
+ </textfilecontent54_state>
|
||
|
<sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36100" version="2">
|
||
|
<value datatype="int">0</value>
|
||
|
</sysctl_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36101" version="2">
|
||
|
<subexpression datatype="int">0</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
+ <sysctl_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:mil.disa.stig.rhel8:ste:36200" version="2">
|
||
|
+ <value datatype="int">2</value>
|
||
|
+ </sysctl_state>
|
||
|
+ <textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36201" version="2">
|
||
|
+ <subexpression datatype="int">2</subexpression>
|
||
|
+ </textfilecontent54_state>
|
||
|
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.rhel8:ste:36400" version="2" comment="X11Forwarding = no">
|
||
|
<subexpression datatype="string" operation="pattern match">^(no|"no")$</subexpression>
|
||
|
</textfilecontent54_state>
|
||
|
@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil
|
||
|
</variables>
|
||
|
</oval_definitions>
|
||
|
</component>
|
||
|
- <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R5_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" timestamp="2022-03-28T12:45:13">
|
||
|
+ <component id="scap_mil.disa.stig_comp_U_RHEL_8_V1R6_STIG_SCAP_1-2_Benchmark-cpe-oval.xml" timestamp="2022-06-28T15:27:20">
|
||
|
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5">
|
||
|
<generator>
|
||
|
<oval:product_name>repotool</oval:product_name>
|
||
|
<oval:schema_version>5.10</oval:schema_version>
|
||
|
- <oval:timestamp>2022-03-28T12:45:12</oval:timestamp>
|
||
|
+ <oval:timestamp>2022-06-28T15:27:20</oval:timestamp>
|
||
|
</generator>
|
||
|
<definitions>
|
||
|
<definition class="inventory" id="oval:mil.disa.stig.rhel8:def:1" version="2">
|
||
|
|
||
|
From b2b2dbba78bb1e182ddfe9e90bd8a8ae5cf33187 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 1 Aug 2022 14:49:09 +0200
|
||
|
Subject: [PATCH 3/3] Update RHEL8 STIG to V1R7
|
||
|
|
||
|
---
|
||
|
products/rhel8/profiles/stig.profile | 4 ++--
|
||
|
products/rhel8/profiles/stig_gui.profile | 4 ++--
|
||
|
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||
|
tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++--
|
||
|
4 files changed, 8 insertions(+), 8 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index 7adbfee5559..4b480bd2c11 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
documentation_complete: true
|
||
|
|
||
|
metadata:
|
||
|
- version: V1R6
|
||
|
+ version: V1R7
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|
||
|
@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
||
|
|
||
|
description: |-
|
||
|
This profile contains configuration checks that align to the
|
||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R6.
|
||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
|
configuration baseline as applicable to the operating system tier of
|
||
|
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
||
|
index 665bc1e059d..fa8bc724a5d 100644
|
||
|
--- a/products/rhel8/profiles/stig_gui.profile
|
||
|
+++ b/products/rhel8/profiles/stig_gui.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
documentation_complete: true
|
||
|
|
||
|
metadata:
|
||
|
- version: V1R6
|
||
|
+ version: V1R7
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|
||
|
@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
||
|
|
||
|
description: |-
|
||
|
This profile contains configuration checks that align to the
|
||
|
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6.
|
||
|
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7.
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
|
configuration baseline as applicable to the operating system tier of
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
index 2a16a82889a..4bee72830d0 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
title: DISA STIG for Red Hat Enterprise Linux 8
|
||
|
description: 'This profile contains configuration checks that align to the
|
||
|
|
||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R6.
|
||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
||
|
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||
|
@@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the
|
||
|
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
|
||
|
extends: null
|
||
|
metadata:
|
||
|
- version: V1R6
|
||
|
+ version: V1R7
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
index e79776f8e90..ece32d06a6f 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
@@ -1,7 +1,7 @@
|
||
|
title: DISA STIG with GUI for Red Hat Enterprise Linux 8
|
||
|
description: 'This profile contains configuration checks that align to the
|
||
|
|
||
|
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6.
|
||
|
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7.
|
||
|
|
||
|
|
||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||
|
@@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the
|
||
|
standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
|
||
|
extends: null
|
||
|
metadata:
|
||
|
- version: V1R6
|
||
|
+ version: V1R7
|
||
|
SMEs:
|
||
|
- mab879
|
||
|
- ggbecker
|